7 Replies Latest reply on Feb 23, 2011 7:19 AM by jam88yo

    Automatic Login to web app

    cmiles123
    cmiles123 Oct 26, 2005 2:30 PM

      Hello,

      I've searched everywhere and cannot find a definitive answer to this. What I want to be able to do is given a user/pwd combo log in to a web app that is using FORM security via j_security_check.

      Passing the j_username and j_password parameters directly to j_security_check works for other App servers, but for the life of me cannot get this to work using JBoss. What I want to do is access a secured page directly by bypassing the login page as I have the credentials already. For instance, I want to programmatically access a secured page via commons-http code.

      Can someone explain exactly what you must do to automatically login to a web app in JBoss given that you already know the credentials?

      Thanks in advance.

      • 12849 Views
      • Tags:
        • 1. Re: Automatic Login to web app
          niwhsa
          niwhsa Oct 28, 2005 9:30 AM (in response to cmiles123)

          what is the error you are getting and please post the stack trace

            • Actions
          • 2. Re: Automatic Login to web app
            cmiles123
            cmiles123 Oct 28, 2005 9:38 AM (in response to cmiles123)

            Hello,

            Thanks for your response.

            You either get a 400 or 404 HTTP error code and as I understand from reading other posts this is because you aren't allowed to access the login page or j_security_check directly. You must access a secured resource and let the normal j2ee mechanics redirect you to the login page.

            So knowing this, I have managed to get automatic login to work using the commons httpclient API. In fact, there are some JBoss testcases that do this already.

            What I'm still struggling with is whether this can be done via JavaScript. We have a java client that launches the browser and accesses secured resources. With other app servers (WebLogic and WebSphere) we just POST directly to j_security_check, passing in the credentials via j_username/j_password via some HTML and JavaScript. This doesn't appear to work under JBoss so I was wanting anyone that has achieved this to outline their methods.

            Thanks

              • Actions
            • 3. Re: Automatic Login to web app
              starksm64
              starksm64 Oct 28, 2005 11:41 AM (in response to cmiles123)

              Form auth cannot be triggered by an arbitrary post. It has to be done in response to the container challenging a request to a secured resource in the context of a newly created session.

                • Actions
              • 4. Re: Automatic Login to web app
                brian.stansberry
                brian.stansberry Oct 28, 2005 4:37 PM (in response to cmiles123)

                Yes, this can be done in Javascript; we did it at my former employer. I can't remember the exact details (I'm not an AJAX developer), but I believe our login page had the javascript to get the XMLHttpRequest and post back to security check. If we got a 200 from the server we then did a javascript redirect to the original target page.

                The key point was the session cookie that the browser already had was automatically presented back to the server along with any call we made using XMLHttpRequest -- we didn't have to do anything.

                  • Actions
                • 5. Re: Automatic Login to web app
                  cmiles123
                  cmiles123 Nov 3, 2005 8:03 AM (in response to cmiles123)

                  Just to wrap this topic up for the benefit of other people that may need to know this sort of thing. Here's how I solved my issues:

                  1) For authenticating via a Java client using commons httpclient you attempt to access a secured resource first and then post to the j_security_check servlet. You then follow the redirect that is returned at this point.

                  2) For authenticating via Javascript or in my case some JSP page you follow the same path as #1, whereby you attempt to access a secured resource before posting to j_security_check. bstansberry's comment about the AJAX stuff got me past the point that to complete the process you have to make sure the JSESSIONID cookie is retrieved and added to your current session (thank you for that)

                  Now works like a charm, thanks

                    • Actions
                  • 6. Re: Automatic Login to web app
                    siddiqut
                    siddiqut Nov 8, 2005 8:26 AM (in response to cmiles123)

                    Hi cmiles123,

                    I have been trying to implment option (using Ajax) without success. Do you have some reference code I could look into.

                    Thank you

                      • Actions
                    • 7. Re: Automatic Login to web app
                      jam88yo
                      jam88yo Feb 23, 2011 7:19 AM (in response to siddiqut)

                      Hi everyone,

                       

                      I searched during long time for trick to break down this JBOSS J_Security_Check mechanism,

                       

                      please is someone having some solution ?

                       

                      Thanks.

                        • Actions