1 Reply Latest reply on Sep 19, 2008 2:26 PM by Kevin McIntyre

    Autologin Form Based Authentication with Cookie

    Steven Rock Newbie

      Has anybody been able to get an autologin feature to work? This seems on the surface such a simple issue, but cannot find the answer anywhere.

      I have FORM based authentication configured with a login page. There are a few problems when I try to auto login with a cookie.

      First, I can only supply a j_username and j_password field in my form that posts to j_security_check. If I include any other fields (like a checkbox for autologin [remember me]) it gets lost.

      Secondly if I set the autologin cookie someplace else and when the user wanders back to the site I want to autologin them in. I can create a LoginContext and log them in and get a Principal object and all that but Tomcat still thinks the user isn't authenicated when they go to a protected page because I didn't go through their authenicator.

      What is the correct way of doing this? I was thinking of using javascript to submit the login form automatically when the cookie is present.

      Thanks for any help!

        • 1. Re: Autologin Form Based Authentication with Cookie
          Kevin McIntyre Newbie

          I use this to autologin the first time a user registers...don't know if this helps

          import java.io.IOException;
          import java.util.Iterator;
          import javax.servlet.Filter;
          import javax.servlet.FilterChain;
          import javax.servlet.FilterConfig;
          import javax.servlet.ServletException;
          import javax.servlet.ServletRequest;
          import javax.servlet.ServletResponse;
          import javax.servlet.http.HttpServletRequest;
          import javax.servlet.http.HttpServletResponse;
          import org.apache.commons.httpclient.Cookie;
          import org.apache.commons.httpclient.HttpClient;
          import org.apache.commons.httpclient.HttpException;
          import org.apache.commons.httpclient.HttpMethod;
          import org.apache.commons.httpclient.HttpState;
          import org.apache.commons.httpclient.HttpStatus;
          import org.apache.commons.httpclient.methods.GetMethod;
          import org.apache.log4j.Logger;
           * @web.filter name="autoLoginFilter" display-name="Auto Login Filter"
           * @web.filter-mapping url-pattern="/autologin/*"
          public class AutoLoginFilter implements Filter {
           private String protectUrl = "http://~";
           private String jsecurityUrl = "http://~";
           private static Logger log = Logger.getLogger(AutoLoginFilter.class);
           private FilterConfig filterConfig;
           public void doFilter(ServletRequest request, ServletResponse response,
           FilterChain chain) {
           log.debug("Called doFilter");
           try {
           HttpServletRequest realrequest = (HttpServletRequest)request;
           String username = (String)realrequest.getSession().getAttribute("username");
           String password = (String)realrequest.getSession().getAttribute("password");
           log.debug("Autologin: " + username);
           HttpClient client = new HttpClient();
           HttpMethod get = new GetMethod(protectUrl);
           HttpState state = new HttpState();
           Cookie cookie = new Cookie(~domain, "JSESSIONID", realrequest.getSession().getId() );
           log.debug("Cookie: " + cookie.toExternalForm());
           log.debug("Cookie Domain: " + cookie.getDomain());
           log.debug("Cookie Path: " + cookie.getPath());
           log.debug("Cookie Seucre: " + cookie.getSecure());
           try {
           int statusCode = client.executeMethod(get);
           if (statusCode != HttpStatus.SC_OK) {
           log.error("Method failed: " + get.getStatusLine());
           } catch (HttpException e) {
           log.error("Fatal protocol violation: " + e.getMessage());
           } catch (IOException e) {
           log.error("Fatal transport error: " + e.getMessage());
           } finally {
           String form = jsecurityUrl + "?j_username=" + username + "&j_password=" + password;
           HttpMethod get2 = new GetMethod(form);
           int statusCode2 = client.executeMethod(get2);
           log.debug("Autologin Status Code: " + statusCode2);
           uncomment to debug
           byte[] responseBody = get2.getResponseBody();
           log.debug("Response:" + new String(responseBody));
           HttpServletResponse realresponse = (HttpServletResponse)response;
           realresponse.sendRedirect(realrequest.getContextPath() + "/secure");
           } catch (IOException io) {
           log.error("IOException:" + io.toString());
           public FilterConfig getFilterConfig() {
           return this.filterConfig;
           public void setFilterConfig(FilterConfig filterConfig) {
           this.filterConfig = filterConfig;
           public void destroy() {
           public void init(FilterConfig arg0) throws ServletException {