-
1. Re: j_security_check in url after login failure
danl_thompson Feb 9, 2005 9:54 AM (in response to jobor)There IS wackiness here... you are not the crazy one. Different browsers behave differently.
For example, when you hit a protected resource, JBoss/Tomcat will throw up a login page (if you have it configured this way). And submitting the login page to j_security_check is the correct thing to do, according to the spec. And all the JAAS stuff will get kicked off and the user will be authenticated (or not). And then you will be forwarded to the protected resource that you originally asked for.
HOWEVER, if you hit the back button you WILL get the login page again. This is just how browsers work. If at this point, you submit the login form you WILL get the 404 j_security_check not found message.
What you can do is define a custom 404 error page (see web.xml on how to do this). with he following contents... This will catch the 404 and get the user back to the home page.
<%@ page language="java" %>
<%@ page isErrorPage="true" %>
<%@ page import="java.util.*" %>
<%
// this string is only availble if the page is marked as an error page (above)
String request_uri = (String)request.getAttribute("javax.servlet.error.request_uri");
// handle j_security_checks by forwarding to the index page.
// people will still be confused because they might think they have logged in a second time.
if ( request_uri.indexOf("j_security_check") > 0 ){
request.getRequestDispatcher("/").forward(request, response);
}
// keep the response short, so the browser can override it if it likes.
%>
404 - Page Not Found
---------
This said, the idea case would be if the user never ever saw the login page unless they needed to be authenticated. However, that's just not how browsers work. The back button always takes you back.
We have also done lots of work, in order to make the login.jsp not cached. So that if the user gets to the login page, it will atleast refresh from the server, and maybe we can make an informed decision about how the user got there. However, nothing we've tried works on all browsers... thrus the 404 j-security check seends to be the best fix
dt -
2. Re: j_security_check in url after login failure
danl_thompson Feb 10, 2005 12:42 PM (in response to jobor)AH HA !!!
I have written the simplest possible login test application, consisting of a login page, some protected resources, and a way to kill the session (thus forcing a logout).
WHen I run it on JBoss 3.2.3 I can always backspace to the login page, and get either a 400 illegal access to login page, or a 404 j_security_check not found.
But when I run on 3.2.6, I cannot backspace to the login page, and everything works properly.... my advice, ifyou are still seeing the 404 j_security_check... upgrade to a later JBoss. -
3. Re: j_security_check in url after login failure
danl_thompson Feb 10, 2005 1:11 PM (in response to jobor)This might actually solve your problem !!!
We had this big no no...
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login.jsp?faile=true</form-error-page>
</form-login-config>
Fixed it this way
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login-failed.jsp</form-error-page>
</form-login-config>