3 Replies Latest reply on Feb 10, 2005 1:11 PM by danl_thompson

    j_security_check in url after login failure

    jobor
    jobor Dec 30, 2004 10:13 AM

      Hello,

      I made a very basic web app with a form logon and JBoss 4.0.1RC2.
      I did not refer the login.jsp but things are working normal asking e.g. the index.jsp. I get my login.jsp and :-) without j_security_check in the url. When I have a successful logon my secured index.jsp comes up and I do not have the login.jsp in my history via the back button.
      I think something changed after 3.2.x ???. (You can even bookmark the login page because the original url doesn't change)

      But when I mistype my password or username the error page specified in the <form-error-page> tag comes up. And now the j_security_check comes up in the url.
      Then I go back to the logon page via the back button.
      Then after a successful logon a have a non existing page in the history of the back or forwar button of the browser.
      It also happens if you specify the login.jsp in the <form-error-page> tag.

      The first part is very nice but I'm asking myself if the behaviour of the <form-error-page> is normal to display the j_security_check in the url of the addressbar? Should this also work without displaying j_security_check in the url?

      Johan.

      • 18506 Views
      • Tags:
        • 1. Re: j_security_check in url after login failure
          danl_thompson
          danl_thompson Feb 9, 2005 9:54 AM (in response to jobor)

          There IS wackiness here... you are not the crazy one. Different browsers behave differently.

          For example, when you hit a protected resource, JBoss/Tomcat will throw up a login page (if you have it configured this way). And submitting the login page to j_security_check is the correct thing to do, according to the spec. And all the JAAS stuff will get kicked off and the user will be authenticated (or not). And then you will be forwarded to the protected resource that you originally asked for.

          HOWEVER, if you hit the back button you WILL get the login page again. This is just how browsers work. If at this point, you submit the login form you WILL get the 404 j_security_check not found message.

          What you can do is define a custom 404 error page (see web.xml on how to do this). with he following contents... This will catch the 404 and get the user back to the home page.

          <%@ page language="java" %>
          <%@ page isErrorPage="true" %>
          <%@ page import="java.util.*" %>
          <%
          // this string is only availble if the page is marked as an error page (above)
          String request_uri = (String)request.getAttribute("javax.servlet.error.request_uri");

          // handle j_security_checks by forwarding to the index page.
          // people will still be confused because they might think they have logged in a second time.

          if ( request_uri.indexOf("j_security_check") > 0 ){
          request.getRequestDispatcher("/").forward(request, response);
          }

          // keep the response short, so the browser can override it if it likes.
          %>
          404 - Page Not Found

          ---------
          This said, the idea case would be if the user never ever saw the login page unless they needed to be authenticated. However, that's just not how browsers work. The back button always takes you back.

          We have also done lots of work, in order to make the login.jsp not cached. So that if the user gets to the login page, it will atleast refresh from the server, and maybe we can make an informed decision about how the user got there. However, nothing we've tried works on all browsers... thrus the 404 j-security check seends to be the best fix

          dt

            • Actions
          • 2. Re: j_security_check in url after login failure
            danl_thompson
            danl_thompson Feb 10, 2005 12:42 PM (in response to jobor)

            AH HA !!!

            I have written the simplest possible login test application, consisting of a login page, some protected resources, and a way to kill the session (thus forcing a logout).

            WHen I run it on JBoss 3.2.3 I can always backspace to the login page, and get either a 400 illegal access to login page, or a 404 j_security_check not found.

            But when I run on 3.2.6, I cannot backspace to the login page, and everything works properly.... my advice, ifyou are still seeing the 404 j_security_check... upgrade to a later JBoss.

              • Actions
            • 3. Re: j_security_check in url after login failure
              danl_thompson
              danl_thompson Feb 10, 2005 1:11 PM (in response to jobor)

              This might actually solve your problem !!!


              We had this big no no...
              <form-login-config>
              <form-login-page>/login.jsp</form-login-page>
              <form-error-page>/login.jsp?faile=true</form-error-page>
              </form-login-config>

              Fixed it this way
              <form-login-config>
              <form-login-page>/login.jsp</form-login-page>
              <form-error-page>/login-failed.jsp</form-error-page>
              </form-login-config>

                • Actions