8 Replies Latest reply on Oct 15, 2002 1:44 PM by Brad Leupen

    j_security_check

    Emily Newbie

      Hi,

      I'm trying to implement simple authorization in my webapp using JBoss 4.0.0alpha. I've got it working with j_security_check, but it's awfully sketchy. Does anyone actually use j_security_check in real applications? There seem to be tons of issues with normal actions like hitting the back button or accessing the login page directly (how can you prevent this?) etc. Also how do you implement logging out?

      I think I probably need to create my own login servlets using the DatabaseServerLoginModule, but frankly JAAS has me completely confused. What do I need to do?

      Thanks,
      Emily

        • 1. Re: j_security_check
          Christoph Grimm Newbie

          j_security_check is nothing jboss-specific
          you run into the same kind of problems with standalone web-containers like e.g tomcat.

          it has also nothing to do with the use of jaas.
          jaas is just jboss' way ( and other vendors also do so or will follow ) to handle htis login event.

          that means, you write your login code in form of a jass LoginModule implementation or use one provided by the jboss distro.

          now to the back button problem and the problem of accessing the login page directly:

          our workarround is to run the whole we application in a browser window without navigation and menu bar.
          you can do this via the window.open javascript command.

          Christoph

          • 2. Re: j_security_check
            Emily Newbie

            OK, so if I want to use the DatabaseServerLoginModule, what is a good way to handle login/logout for web applications? The only thing I can think of is storing the LoginContext in the session and accessing it in each servlet, but that's certainly not as clean as doing it with j_security_check, where I was under the impression that JAAS is just working under the hood for you. How do I emulate that behavior?

            Thanks so much,
            Emily

            • 3. Re: j_security_check
              Christoph Grimm Newbie

              to trigger a login:

              start with a page in a non restricted area.
              have a link or button to an other page in a secured area
              ( see servlet spec for details )
              the servlet container will trigger display of your login page and after successfull login it will show the page in the secured area that you pointed to.

              to trigger logout:

              have a link or a button to a jsp page in the non restricted area.
              do a session.invalidate() at the end of this jsp.page

              Christoph

              • 4. Re: j_security_check
                Emily Newbie

                But what if someone bookmarks your login page and tries to login directly? Won't this cause problems since there is nowhere to redirect the user once they are authenticated (You will get a status 400 - invalid direct reference to form login page). It seems to me there should be a default redirect page that one should be able to specify so that people can directly login.

                Emily

                • 5. Re: j_security_check
                  Christoph Grimm Newbie

                  as i already said:

                  a possilbe solution is to run the web-application in a browser window without navigation and menu bar.
                  therefore you need a start page that opens an other page via java-script "window.open"

                  the really mad ones among your users might still try to bookmark the login page via some hotkey, but i think we can live with that.

                  • 6. Re: j_security_check
                    Emily Newbie

                    This is the hack I came up with, if anyone is interested

                    My login.jsp, which is my <form-login-page> starts like this:

                    <%
                    String temp = null;
                    if(session != null){
                    temp = (String)session.getAttribute("beenForwarded");
                    session.removeAttribute("beenForwarded");
                    }
                    if(temp != null && temp.equals("true")){
                    //display this page
                    }else{
                    //redirect to a home page for authenticated users
                    session.setAttribute("beenForwarded", "true");
                    response.sendRedirect("/restricted/success.jsp");
                    %>

                    This allows users to directly access the login.jsp page, for instance if they bookmark it. If they do this, the "beenForwarded" flag has not been set so they are immediately forwarded to /restricted/success.jsp, which as you may guess is a restricted page, so the web container will proceed with the form login process as usual.

                    • 7. Re: j_security_check
                      Emily Newbie

                      my previous post is not showing up, so I am trying again:

                      This is the hack I came up with, if anyone is interested

                      My login.jsp, which is my <form-login-page> starts like this:


                      String temp = null;
                      if(session != null){
                      temp = (String)session.getAttribute("beenForwarded");
                      session.removeAttribute("beenForwarded");
                      }
                      if(temp != null && temp.equals("true")){
                      //display this page
                      }else{
                      //redirect to a home page for authenticated users
                      session.setAttribute("beenForwarded", "true");
                      response.sendRedirect("/restricted/success.jsp");


                      This allows users to directly access the login.jsp page, for instance if they bookmark it. If they do this, the "beenForwarded" flag has not been set so they are immediately forwarded to /restricted/success.jsp, which as you may guess is a restricted page, so the web container will proceed with the form login process as usual.

                      • 8. Re: j_security_check
                        Brad Leupen Newbie

                        here's what we do:

                        1. put everything in a secured area, including the first page that a user should see upon logging in.

                        2. make the root "index.jsp" page nothing more than a one-liner that forwards the request to the "jumping off page" in the secured area.

                        3. rely on the servlet container to display the login screen.

                        This has a number of positive effects, including preventing people from bookmarking the login page and handling page timeouts elegantly (even if the timeout happens on a form submission)

                        -b