Link to home
Start Free TrialLog in
Avatar of chekban
chekban

asked on

Problem with Form Based Authentication (j_security_check)

Hi,

I'm using j_security_check to authenticate my system login and I'm facing a problem with the redirection after verifying the user credentials.

When the user enters an invalid userid and incorrect password, the system will direct to the error page.From the error page it will be redirected to the login page.

When the user enters a valid userid and correct password in the login page, the system hangs at j_security_check. The displayed URL is something like "http://myurl/j_security_check". It fails to direct to the intended Login servlet, with error message "HTTP status 404, The requested resource(j_security_check) is not available"

May I know where does the problem lies and how I can resolve this?

Thanks and appreciate your comments/advice.
Avatar of fargo
fargo

ok.

Have u defined the security constraint in the web.xml

<security-constraint>
      <display-name>App Security Constraint</display-name>
      <web-resource-collection>
                   <web-resource-name>Protected Area</web-resource-name>
                   <url-pattern>/*</url-pattern>
                   <!-- If you list http methods, only those methods are protected -->
                   <http-method>DELETE</http-method>
                   <http-method>GET</http-method>
                   <http-method>POST</http-method>
                  <http-method>PUT</http-method>
            </web-resource-collection>
            <auth-constraint>
                  <!-- Anyone with one of the listed roles may access this area -->
                  <role-name>manager</role-name>
            </auth-constraint>
      </security-constraint>

    <!-- Default login configuration uses form-based authentication -->
    <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>Form-Based Authentication</realm-name>
      <form-login-config>
        <form-login-page>login.jsp</form-login-page>
        <form-error-page>error.html</form-error-page>
      </form-login-config>
    </login-config>

    <!-- Security roles referenced by this web application -->
    <security-role>
      <role-name>manager</role-name>
    </security-role>

Hope it helps.

regards,
fargo
Avatar of chekban

ASKER

i believe the setting in web.xml is ok , because if i login with the correct username and password ,no matter how many times, the login will be successful.
The problem here is after i login with an incorrect username/password, which invokes HTTP 403 error page , and redirected back to login page, and i login again with any username/password , the error will happen.
how do you redirect?

post your code here`.

regards,
fargo
Avatar of chekban

ASKER

<% response.sendRedirect("http://url/login.jsp"); %>
Avatar of chekban

ASKER

i have to clarify a bit here.Actually the problem happens when the username used is in tomcat-users.xml which do not has the role or privilege to access the page. Where those roles are configured in web.xml under <security-constraint><auth-constraint>.

The first time i login using the username(which is correct,just that it does not has the privilege), the HTTP 403 error page will come out, when i login again the j_security_check error page will appear.
In my opinion, instead of using the response.sendRedirect use the forward for within the app context-

RequestDispatcher dispatcher = request.getRequestDispatcher(relativeForwardingUrl);
dispatcher.forward(request, response);

regards,
fargo
Avatar of chekban

ASKER

i tried using normal href to link to the login  page,the error still happens. I believe it has nothing to do with the redirect process. the problem lies in the user who does not has privilege
if the user don't have access privelage then you should better redirect to error page.

fargo
Avatar of chekban

ASKER

i do redirect to error page. but the problem is after that when user login(using any username), the j_security_check error will surely come out
can you do the following:

1) try login with false authenticatin
2) error page comes up
3) u must be having a link in error page to go to login page, press link and go to login page
4) see what the http url looks like for ex: http://host:port/app/....

i believe the j_security_check action is not pointed to correct url.

regards,
fargo
Avatar of chekban

ASKER

found that the problem is not how the page is redirected. But it is  the HttpSession. I've to manually invalidate the session then only the error will not occur...
ASKER CERTIFIED SOLUTION
Avatar of GranMod
GranMod

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial