1 Reply Latest reply on Jan 8, 2004 7:35 AM by Wouter Zoons

    Programmaticly call j_security_check

    mthibeau Newbie

      Can you programmaticly call something that has the same effect as j_security_check?

      We are migrating a system from JBoss/Jetty to JBoss/Tomcat. We had a nasty hack in the login.jsp that check the URL that was requested, and if it was in a particular path we forwared to "j_security_check?username=anonymous&password=anonymous". We declared all our public pages secure in the web.xml. This had the effect of logging on the anonymous user with the end user never seeing the login screen. Which worked in Jetty, but now we are trying to find a clean solution to the problem, which is described below.

      We have a large amount of code that is using struts and the present/not present tags checking roles. We also have code in the actions/form that call request.getUserPrincipal().getName(). The web site has content that is public that does not require a log on, and secure content requiring the user to login with their password. With the above hack, even when viewing public non secure content, the anonymous user was logged in, and there always was a user principal in the request.

      The problem is, If there is no user logged in, the <logic:present role="someRole"></logic:present> tag will throw a NullPointerException. Same thing when one calls request.getUserPrincipal().getName().

      I'm trying to find a clean solution that requires the least amound of refactoring. The current thought is, guard the request.getUserPrincipal() call checking for null, and write my own tag to replace the struts tag, that checks to see if there is a principal before checking for a role.

      However, if there is a way to log on my anonymous user programmatically then I don't have to refactor any code. One idea from a recent post is to "hack" the catalina.jar file and edit the Authenticator.properties file and put my own handler for j_security_check. Then hack something together that logs on my anonymous user based on the URL.

      -Matt Thibeau

        • 1. Re: Programmaticly call j_security_check
          Wouter Zoons Newbie

          not sure if this is what you need, but did you consider using the 'UnauthenticatedPrincipal' ?

          this way your struts tags will keep working and this principal is considered an an identity that has not been authenticated (logged in)

          consider the following snippet from login-conf.xml, and see how the unauthenticated principal is named:

          <application-policy name = "jbossmq">

          <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
          flag = "required">
          <module-option name = "unauthenticatedIdentity">guest</module-option>
          <module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option>


          hope this helps