2 Replies Latest reply on Sep 3, 2004 5:33 PM by grinch

When does Security Context get Set

grinch Sep 2, 2004 10:09 PM

Dear friends,

I have a web application that I am trying to modify and I cannot figure somthing out. On the default page, I check a variable and either redirect to my app.jsp or include my app.jsp into the default page. The app.jsp does the same thing in both cases, but when I immediatly redirect to the app.jsp page, I cannot use any of my EJB's because it says the Security context is not set. But if I simply include the page, everyting works fine.

This is all after I login via form based login. After login I get sent to the default page and either:
1. Immediatly redirect to app.jsp - Which gives me No Sercurity Context , or,
2. Include the app.jsp on the default page with processes and returns text just like I want it to.

Can someone please tell my why the security context is not being set when I redirect from my default page?

Thanks,
SJ

1. Re: When does Security Context get Set

stueccles Sep 3, 2004 4:36 AM (in response to grinch)

I would think its because your app.jsp is not a secured page with security-constraint in the web.xml.

If the page is not covered with a security-constraint then no active subject is created and then security associations are not set on the thread.

The thing about J2EE security is your user is actively authenticated on every request to a secure page using the credentials cached from the logon method (and cached subjects in the security manager too)

If the page is not security constrainted, it doesnt bother authenticating (and hence request.getUserPrincipal() is null...

Your default page on the other hand probably is secured.

hope this all helps
Stuart Eccles
Actions
2. Re: When does Security Context get Set

grinch Sep 3, 2004 5:33 PM (in response to grinch)

Stuart,

That was exactly it, thank you very much!!

-SJ
Actions

Go to original post