2 Replies Latest reply on Nov 18, 2004 3:34 PM by coby

Filters not applied to form-login-page

coby Nov 18, 2004 1:39 PM

Hi,

I am porting a wepapp from Weblogic to JBoss that needs all requests to pass through a Filter (for various reasons).

The webapp uses FORM based authentication. So, when an un-authenticated user requests a secured page, they are forwarded to the form-login-page. However the request to the form-login-page is not passed through the filter.

For example, my web.xml looks something like this...

...
 <filter>
 <filter-name>MyFilter</filter-name>
 <filter-class>MyFilter</filter-class>
 </filter>
 <filter-mapping>
 <filter-name>MyFilter</filter-name>
 <url-pattern>/*</url-pattern>
 </filter-mappnig>
...
 <security-constraint>
 <web-resource-collection>
 <web-resource-name>SecurePages</web-resource-name>
 <description>Security contraint for secure pages</description>
 </url-pattern>/*</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 </web-resource-collection>
 <auth-constraint>
 <description>roles with access</description>
 <role-name>AuthenticatedUsers</role-name>
 </auth-constraint>
 </security-constraint>
 <login-config>
 <auth-method>FORM</auth-method>
 <form-login-config>
 <form-login-page>/login.jsp</form-login-page>
 <form-error-page>/error.jsp</form-error-page>
 </form-login-config>
 </login-config>
...

When running the webapp in JBoss, I can see that MyFilter is executed for every request *except* the requests that get intercepted by the security-contraint and forwarded to /login.jsp (the form-login-page).

Weblogic (8.1) passes the the intercepted request through the filter, but JBoss does not.

Is this a bug with JBoss? Or, is there some other way to make sure a Filter is invoked when a secuirty contraint causes the request to be intercepted the the FORM based login config?

Thanks,
Coby

ps. I'm running this on jboss-4.0.1RC1 w/ jdk 1.4.2

1. Re: Filters not applied to form-login-page

starksm64 Nov 18, 2004 3:02 PM (in response to coby)

This is a feature of tomcat. Read this long discussion which concludes that

I received a clarification from Yutaka Yoshida (lead for the 2.4 spec) with this clarification:

"In regards to this issue, servlet EG had a consensus that Filter must not be applied for j_security_check. We believe the application component should not be involved in the container-managed security. Although we understand why people are using filter to manipulate the authentication mechanism, it doesn't solve all issues related to the security and must be addressed in a larger scope of the portable authentication mechanism, which I expect to have in the next version of the specification. "

http://issues.apache.org/bugzilla/show_bug.cgi?id=21795
Actions
2. Re: Filters not applied to form-login-page

coby Nov 18, 2004 3:34 PM (in response to coby)

Thanks for the quick reply, however the issue for my webapp isn't that a Filter is not being applied to j_security_check, it's that the Filter is not being applied to the login-form-page (the page that does a POST to j_security_check).

Regardless, it sounds like this is a tomcat issue, and not a JBoss issue, so I'll looking for answers over there.

Thanks,
Coby
Actions

Go to original post