5 Replies Latest reply on Jun 27, 2003 2:42 PM by mv

    Form based auth & context

    svaret

      Hi,

      I want to use form based authentication in my web application. I have a file called Logon.html which is fulfilling the servlet spec with action=j_security_check and the fields j_username and j_password. This file is placed in an unsecured area, in the document root. Logon.html is set as the form-login-page in my web.xml.

      My secured area is located under /pages relative to my document root.

      The first page that the user will see in my app is the page with the login fields present, i.e. Logon.html. However, if I go directly to Logon.html, fill in correct user and password and submit, JBoss says there is no current context.

      It seems that the client has to access a secured page in order to get a context, i.e. a page below my secured area /pages.

      If the first page to be visible to the user only contains a link to a secured page to which a user will get to after a succesful login, then there's no problem. THe first page can be accessed directly by the user and it can be defined as a welcome page in web.xml.

      But if the first page contains the form with the j_security_check-action is accessed first the container does not know where to proceed to.

      I solved it by having a file called index.jsp in my document root (unsecured) which contains only a redirect to the after-successful-login page. The form-login-page is named Logon.html and has the j_security_check-action. This page will be displayed when the redirect to the secured page is done.

      Now, when I enter the correct user and password I end up in the 'you-logged-in-successfully'-page.

      Isn't there a more straight forward way of doing this?

      Best regards

      Lasse