3 Replies Latest reply on Aug 17, 2006 11:05 AM by Anil Saldanha

    retry fails with form based authentication woth custom login

    Padmaja Pradhan Newbie

      I am using a custom login module which uses a web service to validate a username/password pair, along with form based authentication. Everything works ok for a valid user.
      In the case of a wrong username or password, my error page displays a message with a link back to the login page.
      Even if I enter the correct username/password, and the logs show my webservice returning correct roles, the login does not succeed, i.e. the empty login form is displayed again.
      This does not happen if I reenter the link in the browser address page or open a new browser window.
      The html form has
      <meta http-equiv="Pragma" content="no-cache"> and I have tried invalidating the session as well.

      The logs end with :
      16:32:04,656 DEBUG [RealmBase] Username rps1 has role LOCSRV
      16:32:04,656 DEBUG [AuthenticatorBase] Successfully passed all security constraints
      16:32:04,656 DEBUG [StandardWrapper] Returning non-STM instance

      The login module extends the UsernamePasswordLoginModule class, and overrides the initialize(), getUsersPassword(), validatePassword and getRoleSets() methods. jboss bersion 4.0.2

      Any pointers?

      Thanks in advance

        • 1. Re: retry fails with form based authentication woth custom l
          chris griffith Expert


          One thing that is not completely clear from your description is wether or not the user has actually authenticated to servlet container. Just because the login form is returned does not neccessarily mean authentication did not happen. To be more specific...

          Consider the case when a request is made to login form page direclty. The user fills out the form and submits. If the user authenticated correctly, then the container will redirect user back to originally requested page. Which in this case happens to be the login form.

          So I suggest trying one of two things. Either add some temporary code to your login form (jsp) to display something if user is authenticated (i.e. request.getUserPrincipal()). Or create and secure another page (well call it main). Then request main. If user has not authenticated, they should be forwarded to login form. Once authenticated, user should be forwarded back to main.


          • 2. Re: retry fails with form based authentication woth custom l
            Padmaja Pradhan Newbie

            Dear cgriffith

            A million thanks for pointing me in the right direction. I was indeed pointing the container to the login form even when user was authenticated.

            I was using sendRedirect () in my error page to go back to the login form. Once I changed that to jsp:forward , things work perfectly.


            • 3. Re: retry fails with form based authentication woth custom l
              Anil Saldanha Master

              Don't mess with the form auth setup (do not deal with form login page or error page via redirects etc in your application). Your job is to just configure it in web.xml or change the look and feel of the login/error pages.