2 Replies Latest reply on Dec 14, 2015 11:58 AM by Vineeth V Nair

    Issue with filter redirection

    Vineeth V Nair Newbie

      Hi,

       

      I have a web application where am using form authentication to authenticate the user account, after that I am having a filter where am checking whether the user name is equal to admin else am redirecting to the login error page again. But now if the user submit any login its navigating to a url like below below and a blank page is getting displayed.

       

      http://localhost:8080/webapps2/j_security_check

       

      The login.html is like below.

      <h2>Login Page</h2>

      <br><br>

      <form action="j_security_check" method=post>

          <p><strong>Please Enter Your User Name: </strong>

          <input type="text" name="j_username" size="25">

          <p><p><strong>Please Enter Your Password: </strong>

          <input type="password" size="15" name="j_password">

          <p><p>

          <input type="submit" value="Submit">

          <input type="reset" value="Reset">

      </form>

       

      The error.html is like below

      <h2>Login Incorrect, please log in:</h2>

      <br><br>

      <form action="j_security_check" method=post>

          <p><strong>Please Enter Your User Name: </strong>

          <input type="text" name="j_username" size="25">

          <p><p><strong>Please Enter Your Password: </strong>

          <input type="password" size="15" name="j_password">

          <p><p>

          <input type="submit" value="Submit">

          <input type="reset" value="Reset">

      </form>

       

       

      the filter code is like below

      @Override

        public void doFilter(ServletRequest req, ServletResponse resp,

        FilterChain chain) throws IOException, ServletException {

       

        HttpServletRequest request = (HttpServletRequest)req;

        if(request.getUserPrincipal() != null){

        boolean result = validateUser(request.getUserPrincipal().getName());

        if(!result){

        HttpSession session  = request.getSession(false);

        session.invalidate();

        request.logout();

        request.getRequestDispatcher("/error.html").forward(req, resp);

        return;

        }

        }

        chain.doFilter(req, resp);

       

        }

       

      The contents of web.xml file is below.

       

      <web-app>

        <welcome-file-list>

        <welcome-file>index.html</welcome-file>

        </welcome-file-list>

        <listener>

          <listener-class>com.listener.MyListener</listener-class>

        </listener>

       

        <filter>

        <filter-name>LoginFilter</filter-name>

        <filter-class>com.Filter.LoginFilter</filter-class>

        </filter>

        <filter-mapping>

        <filter-name>LoginFilter</filter-name>

        <url-pattern>/*</url-pattern>

        </filter-mapping>

            <!-- Roles -->

        <security-role>

          <description>Any rol </description>

          <role-name>*</role-name>

        </security-role>

             

            <!-- Resource / Role Mapping -->

        <security-constraint>

          <display-name>Area secured</display-name>

          <web-resource-collection>

            <web-resource-name>protected_resources</web-resource-name>

            <url-pattern>/*</url-pattern>

            <http-method>GET</http-method>

            <http-method>POST</http-method>

          </web-resource-collection>

          <auth-constraint>

            <description>User with any role</description>

            <role-name>*</role-name>

          </auth-constraint>

        </security-constraint>

       

       

      <security-constraint>

      <web-resource-collection>

        <web-resource-name>Login pages</web-resource-name>

        <url-pattern>/login.html</url-pattern>

        <url-pattern>/error.html</url-pattern>

      </web-resource-collection>

      </security-constraint>

        <login-config>

          <auth-method>FORM</auth-method>

          <realm-name>Tomcat SALES Application</realm-name>

          <form-login-config>

                  <form-login-page>/login.html</form-login-page>

                  <form-error-page>/error.html</form-error-page>

              </form-login-config>

        </login-config>

      </web-app>

       

      Please let me know what is the issue with my configurations.

        • 1. Re: Issue with filter redirection
          Jay SenSharma Master

          WildFly is behaving correctly. I just tried developing a very simple web application almost similar to yours. I see that it is working as expected and the i am not getting any Blank page while accessing the application with or without the correct credentials.

           

          I made some very minor changes to your code to make it work as expected. Please find the code in the following repository:

          MiddlewareMagicDemos/WildFly/General/FormBased_Authentication at master · jaysensharma/MiddlewareMagicDemos · GitHub

           

           

          Some Additional Note: (Just to enhance the security a little more)

          Also your "web.xml" file makes your application vulnerable because of the following config:

           

              <web-resource-collection>
                   <web-resource-name>protected_resources</web-resource-name>
                   <url-pattern>/*</url-pattern>
                   <http-method>GET</http-method>
                   <http-method>POST</http-method>
              </web-resource-collection>
          

           

          Above will make sure that only the request with Http Method GET / POST are secured (means user will be asked to present the credentials only when they try to access the resources using GET/POST)  A User with DELETE/PUT/HEAD/TRACE/OPTIONS are still allowed.

          So you should either replace the following with <http-method>*</http-method> to restrict all the methods.

          Similar discussion can be found at: https://developer.jboss.org/wiki/SecureTheJmxConsole

          \

          Regards

          Jay SenSharma

          • 2. Re: Issue with filter redirection
            Vineeth V Nair Newbie

            Actually you have only one user admin. So if you enter anything other than admin the jboss form authentication only navigate to the error page and that time everything work. Also the filter redirection in your code wont get executed as control will come only after authentication to this and after authentication principal will be always admin.

             

            In my case there are many users so the jsecurity check will work fine. But after that in filter the redirection happens, and next submit wont work.