2 Replies Latest reply on Nov 18, 2004 3:34 PM by Coby Young

    Filters not applied to form-login-page

    Coby Young Newbie

      Hi,

      I am porting a wepapp from Weblogic to JBoss that needs all requests to pass through a Filter (for various reasons).

      The webapp uses FORM based authentication. So, when an un-authenticated user requests a secured page, they are forwarded to the form-login-page. However the request to the form-login-page is not passed through the filter.

      For example, my web.xml looks something like this...

      ...
       <filter>
       <filter-name>MyFilter</filter-name>
       <filter-class>MyFilter</filter-class>
       </filter>
       <filter-mapping>
       <filter-name>MyFilter</filter-name>
       <url-pattern>/*</url-pattern>
       </filter-mappnig>
      ...
       <security-constraint>
       <web-resource-collection>
       <web-resource-name>SecurePages</web-resource-name>
       <description>Security contraint for secure pages</description>
       </url-pattern>/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
       </web-resource-collection>
       <auth-constraint>
       <description>roles with access</description>
       <role-name>AuthenticatedUsers</role-name>
       </auth-constraint>
       </security-constraint>
       <login-config>
       <auth-method>FORM</auth-method>
       <form-login-config>
       <form-login-page>/login.jsp</form-login-page>
       <form-error-page>/error.jsp</form-error-page>
       </form-login-config>
       </login-config>
      ...


      When running the webapp in JBoss, I can see that MyFilter is executed for every request *except* the requests that get intercepted by the security-contraint and forwarded to /login.jsp (the form-login-page).

      Weblogic (8.1) passes the the intercepted request through the filter, but JBoss does not.

      Is this a bug with JBoss? Or, is there some other way to make sure a Filter is invoked when a secuirty contraint causes the request to be intercepted the the FORM based login config?

      Thanks,
      Coby

      ps. I'm running this on jboss-4.0.1RC1 w/ jdk 1.4.2


        • 1. Re: Filters not applied to form-login-page
          Scott Stark Master

          This is a feature of tomcat. Read this long discussion which concludes that


          I received a clarification from Yutaka Yoshida (lead for the 2.4 spec) with this clarification:

          "In regards to this issue, servlet EG had a consensus that Filter must not be applied for j_security_check. We believe the application component should not be involved in the container-managed security. Although we understand why people are using filter to manipulate the authentication mechanism, it doesn't solve all issues related to the security and must be addressed in a larger scope of the portable authentication mechanism, which I expect to have in the next version of the specification. "



          http://issues.apache.org/bugzilla/show_bug.cgi?id=21795


          • 2. Re: Filters not applied to form-login-page
            Coby Young Newbie

            Thanks for the quick reply, however the issue for my webapp isn't that a Filter is not being applied to j_security_check, it's that the Filter is not being applied to the login-form-page (the page that does a POST to j_security_check).

            Regardless, it sounds like this is a tomcat issue, and not a JBoss issue, so I'll looking for answers over there.

            Thanks,
            Coby