8 Replies Latest reply on Oct 15, 2002 1:44 PM by bleupen

j_security_check

berkgypsy Oct 10, 2002 10:45 PM

Hi,

I'm trying to implement simple authorization in my webapp using JBoss 4.0.0alpha. I've got it working with j_security_check, but it's awfully sketchy. Does anyone actually use j_security_check in real applications? There seem to be tons of issues with normal actions like hitting the back button or accessing the login page directly (how can you prevent this?) etc. Also how do you implement logging out?

I think I probably need to create my own login servlets using the DatabaseServerLoginModule, but frankly JAAS has me completely confused. What do I need to do?

Thanks,
Emily

1. Re: j_security_check

chgrimm Oct 11, 2002 3:31 AM (in response to berkgypsy)

j_security_check is nothing jboss-specific
you run into the same kind of problems with standalone web-containers like e.g tomcat.

it has also nothing to do with the use of jaas.
jaas is just jboss' way ( and other vendors also do so or will follow ) to handle htis login event.

that means, you write your login code in form of a jass LoginModule implementation or use one provided by the jboss distro.

now to the back button problem and the problem of accessing the login page directly:

our workarround is to run the whole we application in a browser window without navigation and menu bar.
you can do this via the window.open javascript command.

Christoph
Actions
2. Re: j_security_check

berkgypsy Oct 11, 2002 12:13 PM (in response to berkgypsy)

OK, so if I want to use the DatabaseServerLoginModule, what is a good way to handle login/logout for web applications? The only thing I can think of is storing the LoginContext in the session and accessing it in each servlet, but that's certainly not as clean as doing it with j_security_check, where I was under the impression that JAAS is just working under the hood for you. How do I emulate that behavior?

Thanks so much,
Emily
Actions
3. Re: j_security_check

chgrimm Oct 11, 2002 2:59 PM (in response to berkgypsy)

to trigger a login:

start with a page in a non restricted area.
have a link or button to an other page in a secured area
( see servlet spec for details )
the servlet container will trigger display of your login page and after successfull login it will show the page in the secured area that you pointed to.

to trigger logout:

have a link or a button to a jsp page in the non restricted area.
do a session.invalidate() at the end of this jsp.page

Christoph
Actions
4. Re: j_security_check

berkgypsy Oct 11, 2002 3:20 PM (in response to berkgypsy)

But what if someone bookmarks your login page and tries to login directly? Won't this cause problems since there is nowhere to redirect the user once they are authenticated (You will get a status 400 - invalid direct reference to form login page). It seems to me there should be a default redirect page that one should be able to specify so that people can directly login.

Emily
Actions
5. Re: j_security_check

chgrimm Oct 11, 2002 3:37 PM (in response to berkgypsy)

as i already said:

a possilbe solution is to run the web-application in a browser window without navigation and menu bar.
therefore you need a start page that opens an other page via java-script "window.open"

the really mad ones among your users might still try to bookmark the login page via some hotkey, but i think we can live with that.
Actions
6. Re: j_security_check

berkgypsy Oct 14, 2002 7:46 PM (in response to berkgypsy)

This is the hack I came up with, if anyone is interested

My login.jsp, which is my <form-login-page> starts like this:

<%
String temp = null;
if(session != null){
temp = (String)session.getAttribute("beenForwarded");
session.removeAttribute("beenForwarded");
}
if(temp != null && temp.equals("true")){
//display this page
}else{
//redirect to a home page for authenticated users
session.setAttribute("beenForwarded", "true");
response.sendRedirect("/restricted/success.jsp");
%>

This allows users to directly access the login.jsp page, for instance if they bookmark it. If they do this, the "beenForwarded" flag has not been set so they are immediately forwarded to /restricted/success.jsp, which as you may guess is a restricted page, so the web container will proceed with the form login process as usual.
Actions
7. Re: j_security_check

berkgypsy Oct 14, 2002 7:50 PM (in response to berkgypsy)

my previous post is not showing up, so I am trying again:

This is the hack I came up with, if anyone is interested

My login.jsp, which is my <form-login-page> starts like this:

String temp = null;
if(session != null){
temp = (String)session.getAttribute("beenForwarded");
session.removeAttribute("beenForwarded");
}
if(temp != null && temp.equals("true")){
//display this page
}else{
//redirect to a home page for authenticated users
session.setAttribute("beenForwarded", "true");
response.sendRedirect("/restricted/success.jsp");

This allows users to directly access the login.jsp page, for instance if they bookmark it. If they do this, the "beenForwarded" flag has not been set so they are immediately forwarded to /restricted/success.jsp, which as you may guess is a restricted page, so the web container will proceed with the form login process as usual.
Actions
8. Re: j_security_check

bleupen Oct 15, 2002 1:44 PM (in response to berkgypsy)

here's what we do:

1. put everything in a secured area, including the first page that a user should see upon logging in.

2. make the root "index.jsp" page nothing more than a one-liner that forwards the request to the "jumping off page" in the secured area.

3. rely on the servlet container to display the login screen.

This has a number of positive effects, including preventing people from bookmarking the login page and handling page timeouts elegantly (even if the timeout happens on a form submission)

-b
Actions

Go to original post