1 Reply Latest reply on Sep 19, 2008 2:26 PM by Kevin McIntyre

    Autologin Form Based Authentication with Cookie

    Steven Rock Newbie

      Has anybody been able to get an autologin feature to work? This seems on the surface such a simple issue, but cannot find the answer anywhere.

      I have FORM based authentication configured with a login page. There are a few problems when I try to auto login with a cookie.

      First, I can only supply a j_username and j_password field in my form that posts to j_security_check. If I include any other fields (like a checkbox for autologin [remember me]) it gets lost.

      Secondly if I set the autologin cookie someplace else and when the user wanders back to the site I want to autologin them in. I can create a LoginContext and log them in and get a Principal object and all that but Tomcat still thinks the user isn't authenicated when they go to a protected page because I didn't go through their authenicator.

      What is the correct way of doing this? I was thinking of using javascript to submit the login form automatically when the cookie is present.


      Thanks for any help!

        • 1. Re: Autologin Form Based Authentication with Cookie
          Kevin McIntyre Newbie

          I use this to autologin the first time a user registers...don't know if this helps

          import java.io.IOException;
          import java.util.Iterator;
          
          import javax.servlet.Filter;
          import javax.servlet.FilterChain;
          import javax.servlet.FilterConfig;
          import javax.servlet.ServletException;
          import javax.servlet.ServletRequest;
          import javax.servlet.ServletResponse;
          import javax.servlet.http.HttpServletRequest;
          import javax.servlet.http.HttpServletResponse;
          
          import org.apache.commons.httpclient.Cookie;
          import org.apache.commons.httpclient.HttpClient;
          import org.apache.commons.httpclient.HttpException;
          import org.apache.commons.httpclient.HttpMethod;
          import org.apache.commons.httpclient.HttpState;
          import org.apache.commons.httpclient.HttpStatus;
          import org.apache.commons.httpclient.methods.GetMethod;
          import org.apache.log4j.Logger;
          
          
          /**
           * @web.filter name="autoLoginFilter" display-name="Auto Login Filter"
           * @web.filter-mapping url-pattern="/autologin/*"
           */
          
          public class AutoLoginFilter implements Filter {
          
           private String protectUrl = "http://~";
           private String jsecurityUrl = "http://~";
          
           private static Logger log = Logger.getLogger(AutoLoginFilter.class);
          
           private FilterConfig filterConfig;
          
           public void doFilter(ServletRequest request, ServletResponse response,
           FilterChain chain) {
          
           log.debug("Called doFilter");
          
           try {
          
           HttpServletRequest realrequest = (HttpServletRequest)request;
          
          
           String username = (String)realrequest.getSession().getAttribute("username");
           String password = (String)realrequest.getSession().getAttribute("password");
          
           log.debug("Autologin: " + username);
          
           HttpClient client = new HttpClient();
          
           HttpMethod get = new GetMethod(protectUrl);
          
           HttpState state = new HttpState();
           Cookie cookie = new Cookie(~domain, "JSESSIONID", realrequest.getSession().getId() );
          
           cookie.setPath("/");
          
           log.debug("Cookie: " + cookie.toExternalForm());
           log.debug("Cookie Domain: " + cookie.getDomain());
           log.debug("Cookie Path: " + cookie.getPath());
           log.debug("Cookie Seucre: " + cookie.getSecure());
          
           state.addCookie(cookie);
           client.setState(state);
          
           try {
          
           int statusCode = client.executeMethod(get);
          
           if (statusCode != HttpStatus.SC_OK) {
           log.error("Method failed: " + get.getStatusLine());
           }
          
           } catch (HttpException e) {
           log.error("Fatal protocol violation: " + e.getMessage());
           } catch (IOException e) {
           log.error("Fatal transport error: " + e.getMessage());
           } finally {
           get.releaseConnection();
          
           String form = jsecurityUrl + "?j_username=" + username + "&j_password=" + password;
          
           HttpMethod get2 = new GetMethod(form);
          
           int statusCode2 = client.executeMethod(get2);
          
           log.debug("Autologin Status Code: " + statusCode2);
          
           /*
           uncomment to debug
           byte[] responseBody = get2.getResponseBody();
           log.debug("Response:" + new String(responseBody));
           */
          
           get2.releaseConnection();
          
           }
          
           HttpServletResponse realresponse = (HttpServletResponse)response;
           realresponse.sendRedirect(realrequest.getContextPath() + "/secure");
          
           } catch (IOException io) {
           log.error("IOException:" + io.toString());
           }
          
          
           }
          
           public FilterConfig getFilterConfig() {
           return this.filterConfig;
           }
          
           public void setFilterConfig(FilterConfig filterConfig) {
           this.filterConfig = filterConfig;
           }
          
           public void destroy() {
           }
          
           public void init(FilterConfig arg0) throws ServletException {
           }
          
          }