2 Replies Latest reply on Sep 3, 2004 5:33 PM by Scott Jourdan

    When does Security Context get Set

    Scott Jourdan Newbie

      Dear friends,

      I have a web application that I am trying to modify and I cannot figure somthing out. On the default page, I check a variable and either redirect to my app.jsp or include my app.jsp into the default page. The app.jsp does the same thing in both cases, but when I immediatly redirect to the app.jsp page, I cannot use any of my EJB's because it says the Security context is not set. But if I simply include the page, everyting works fine.

      This is all after I login via form based login. After login I get sent to the default page and either:
      1. Immediatly redirect to app.jsp - Which gives me No Sercurity Context , or,
      2. Include the app.jsp on the default page with processes and returns text just like I want it to.

      Can someone please tell my why the security context is not being set when I redirect from my default page?


        • 1. Re: When does Security Context get Set
          stueccles Newbie

          I would think its because your app.jsp is not a secured page with security-constraint in the web.xml.

          If the page is not covered with a security-constraint then no active subject is created and then security associations are not set on the thread.

          The thing about J2EE security is your user is actively authenticated on every request to a secure page using the credentials cached from the logon method (and cached subjects in the security manager too)

          If the page is not security constrainted, it doesnt bother authenticating (and hence request.getUserPrincipal() is null...

          Your default page on the other hand probably is secured.

          hope this all helps
          Stuart Eccles

          • 2. Re: When does Security Context get Set
            Scott Jourdan Newbie


            That was exactly it, thank you very much!!