2 Replies Latest reply on Nov 18, 2004 3:34 PM by Coby Young

    Filters not applied to form-login-page

    Coby Young Newbie


      I am porting a wepapp from Weblogic to JBoss that needs all requests to pass through a Filter (for various reasons).

      The webapp uses FORM based authentication. So, when an un-authenticated user requests a secured page, they are forwarded to the form-login-page. However the request to the form-login-page is not passed through the filter.

      For example, my web.xml looks something like this...

       <description>Security contraint for secure pages</description>
       <description>roles with access</description>

      When running the webapp in JBoss, I can see that MyFilter is executed for every request *except* the requests that get intercepted by the security-contraint and forwarded to /login.jsp (the form-login-page).

      Weblogic (8.1) passes the the intercepted request through the filter, but JBoss does not.

      Is this a bug with JBoss? Or, is there some other way to make sure a Filter is invoked when a secuirty contraint causes the request to be intercepted the the FORM based login config?


      ps. I'm running this on jboss-4.0.1RC1 w/ jdk 1.4.2

        • 1. Re: Filters not applied to form-login-page
          Scott Stark Master

          This is a feature of tomcat. Read this long discussion which concludes that

          I received a clarification from Yutaka Yoshida (lead for the 2.4 spec) with this clarification:

          "In regards to this issue, servlet EG had a consensus that Filter must not be applied for j_security_check. We believe the application component should not be involved in the container-managed security. Although we understand why people are using filter to manipulate the authentication mechanism, it doesn't solve all issues related to the security and must be addressed in a larger scope of the portable authentication mechanism, which I expect to have in the next version of the specification. "


          • 2. Re: Filters not applied to form-login-page
            Coby Young Newbie

            Thanks for the quick reply, however the issue for my webapp isn't that a Filter is not being applied to j_security_check, it's that the Filter is not being applied to the login-form-page (the page that does a POST to j_security_check).

            Regardless, it sounds like this is a tomcat issue, and not a JBoss issue, so I'll looking for answers over there.