0 Replies Latest reply on Sep 8, 2006 4:43 AM by wenzelaus

    Automatic redirection after password change in Formbased Aut

    wenzelaus

      Hi,

      this is my first post and I am quite new to JBOSS/J2EE... Here is my issue :)

      I use formbased authentication in my jsf portal. The authentication is send to an own developed loginmodule which then calls a FoxPro webservice and gets back some different messages depending if the password is ok, expired, is wrong and has X numbers of retries. For each message a different exception is thrown by the loginmodule which is then processed by the jsp pages in the frontend jsf gui. E.g. if the password is expired an PassWordExpired exception is thrown by the loginmodule and the logon_error.jsp page (with formbased authentication) then redirects to the passwordchange.jsp page. The change of the password works fine but these pages are not secured by the formbased authentication. That?s why everybody has to enter all credentials (userid, password old, password new x 2) on this passwordchangepage. After the password was changed successfully the user is redirected to a message jsp page showing that everything is ok while changing the password. Then after pressing a button on this page the user should be redirected to the startpage (which is the page that appears after the user logged in successfully). I found a method on the web (see below) which then tries to get the startpage and enters the necessary credentials on the j_security_check page, which the method knows that comes. The method originally was created to just get the content of this page, what works fine, BUT my intention is that the method logs in (via HttpClient class) and the browser recognizes that he is already logged in. And I am afraid this does not happen. So the HttpClient is logged in but the browser is not. SO no matter what I make (redirection directly to the startpage shows then the login page, redirection to the index page which then redirects to the startpage shows the startpage with url index.faces ? I then can enter my search values but get redirected to the login page after pressing the submit button). Everything I make, everything redirects somewhen to the login page... Does somebody have any idea how to solve the problem or how to solve the problem on a different way? I really appreciate any help of you?

      Here the pieces of my code:

      - the method:


      public void getWebPage(String baseServer, String url, String webApp, String tempUserID, String tempPWD) {
      
       //Set Cookie Policy to be generically compatible.
       String url2 = baseServer + url;
       HttpClient client = new HttpClient();
       client.getState().setCookiePolicy(CookiePolicy.COMPATIBILITY);
      
       //Get Method: Request secure page and get redirected to login page
      
       GetMethod authget = new GetMethod(url2);
       try {
       client.executeMethod(authget);
       InputStream responseBody = authget.getResponseBodyAsStream();
       } catch (HttpException httpe) {
       _log.error(httpe.getMessage(), httpe);
       } catch (IOException ioe) {
       _log.error(ioe.getMessage(), ioe);
       }
      
       NameValuePair[] data = new NameValuePair[2];
       data[0] = new NameValuePair("j_username", tempUserID);
       data[1] = new NameValuePair("j_password", tempPWD);
      
       //Post Method: logs into url
       String testURL = (baseServer + webApp + "j_security_check");
       PostMethod authpost = new PostMethod((baseServer + webApp + "j_security_check"));
       authpost.setRequestBody(data);
      
       // commented because causes an exception
       //authpost.setRequestHeader(authget.getRequestHeader("Cookie"));
       authpost.setRequestHeader(authget.getRequestHeader("Host"));
       authpost.setRequestHeader(authget.getRequestHeader("User-Agent"));
      
       try {
       // commented as setFollowsRedirect has no effect
       // no matter if you say true or false
       // info [HttpMethodBase] Redirect requested but followRedirects is disabled appears
       //authpost.setFollowRedirects(true);
       client.executeMethod(authpost);
       //authpost.setFollowRedirects(false);
      
       } catch (HttpException httpe) {
       System.err.println(httpe.getMessage());
       httpe.printStackTrace();
       } catch (IOException ioe) {
       System.err.println(ioe.getMessage());
       ioe.printStackTrace();
       }
       authget.setRequestHeader(authpost.getRequestHeader("Cookie"));
       authget.setRequestHeader(authpost.getRequestHeader("Host"));
       authget.setRequestHeader(authpost.getRequestHeader("User-Agent"));
      
       authpost.releaseConnection();
       authget.releaseConnection();
       }



      - the entry in the faces-config.xml

      <navigation-rule>
       <from-view-id>/*</from-view-id>
       <navigation-case>
       <from-outcome>GermanMoverStartPageRedirect</from-outcome>
       <to-view-id>/germanmoverstartpage.jsp</to-view-id>
       <redirect/>
       </navigation-case>
       </navigation-rule>

      - the method called on the ?password successful changed? page when pressing the ?redirect to start page? button

      public String goGermanMoverIndex() {
       user = gmPasswordUserIDValue.getSubmittedValue().toString();;
       String tempPassword = gmPasswordNew1Value.getSubmittedValue().toString();
       getWebPage("https://WebServer", "/startpage.faces", "/", user, tempPassword);
       return "GermanMoverStartPageRedirect";
       }