J_SECURITY_CHECK

Hi to all,
I am using form- based authentication and i am facing a BIG problem.
I have myu login.jsp and the secure content in folder /app.
The authentication works fine.
What i would like to do is to define somewhere a default page that when a user uses the login.jsp to be directed. I don't want to first point to a secure page.
Also, when the user loggs in, the page name remins j_security_check. This is INSANE!!!
Did anyone find a solution for these bugs???

Thank you Frank,
I will try your first suggestion, running the login from WEB-INF

Similar Messages

JSF/JAAS j_security_check for role-based login pages

I'm looking for a way to take the login request after j_security_check is through and invoke logic in a backing bean somewhere to redirect the user (using Faces) to the appropriate view (via an outcome defined in the faces-config.xml, of course) based on the user's role. Is there a "JSF" (i.e. non-filter) way to do this that I'm missing? If not, I suppose I could try a filter if it will work.
I've thought of just going to the same page and displaying different components, but I don't like that a lot, even using subviews. I thought about having two web apps, but find that to be a poor option. I really don't like trusting the user to remember/get a URL right beyond http://xyz.com or something similarly simple, as much to save them from frustration as anything else.
Any ideas would be appreciated. I've scoured forums and Googled all day without much success, so I apologize if this is posted somewhere already. This seems like something that should be pretty simple and I may want to kick myself when I see the answer.

Hi Brian,
I do not believe it is j_security_check's job to check for blank
passwords.
In many security realms, it is "legal" for a user to have a blank
password. j_security_check forwards whatever password was entered so that
even users with blank passwords can be authenticated by the realm on the
backend. For this reason I believe that j_security_check is "doing the
right thing" by just forwarding whatever is presented to it, rather than
having its own logic. It is best if j_security_check just acts as a very
dumb middle man.
If behavior was altered, it is true that your particular problem would be
solved, but then many other people would have a problem with their users
with blank passwords authenticating properly...
Try looking into how to disable anonymous logins on the LDAP end of
things. Hope this helps.
Cheers,
Joe Jerry
brian wrote:
I am using the LDAP Security Realm to authenticate against an iPlanet
Directory Server. All works as expected when a user-id and password
are entered for form-based authentication.
However, when a userid is entered but no password, j_security_check
logs the user in successfully. Aparently, this is correct LDAP
behaviour as anonymous login to the LDAP server is permitted. It seems
that the j_security_check servlet should check for blank passwords
before trying to authenticate against the LDAP server and fail
authentication if this is the case.
Has anyone else experienced this problem?

How to redirect to j_security_check without the form based authentication

Hi,
I am trying to integrate my application authentication to a backend system with the ibm websphere form based authentication. Below is the scenario:
1. when the user clicks on a protected url, the container will redirect the user to the login page.
2. instead of displaying the login page, i would like to automatically redirect the user to j_security_check action. which means that instead of displaying the login.jsp page, the user will automatically be redirected to j_security_check to perform some user authentication, and if successful, the application pages will be displayed.
The reason i want to auto redirect the user to j_security_check is because i am implementing some integration work with a backend system. the user will key in the username/password from another system. once the user is authenticated, the user information will be passed to my system. The login page of my system will not be displayed again, and by using the username value, my system will assume that the user has successfully been authenticated (authentication done by the backend system), and therefore automatically gain authorization to login into my application.
i hope that clarifies my problem.
anyone out there has any solution to my problem?
thanks a lot in advance.

Hi Darren,
Let me explain the whole authentication environment.
There are actually 2 systems in this environment. Let;s call it system A and system B.
System B is actually using the authentication mechanism that i described in my previous message.
A login page will be presented to the user (within system A). User credential is collected and passed to system A to be authenticated. System A will use its own mechanism to authenticate the user.
Once the user is authenticated, system A will pass the user ID to system B. At this point, system B will assume that the user is authenticated and grant authorization to access the application. (system B global security is enabled and implements the form based authentication mechanism) Therefore, at this point, the redirect page (so called login page) will not be displayed to the user, instead it will be automatically redirected to the j_security_check action to execute the customer Ldap Registry class. (ps : eventhough authentication is no longer needed, the flow will still go to Ldap Registry class. A check is done in the Ldap Registry class to skip the authentication, if it is not boot strap login. Only first and only time authentication is done for boot strap login).
In the case a protected url is clicked or invoked by the user directly, the application will redirect the user to the initial login of system A. Otherwise (the url link originates from system A, during the passing of user token to system B), system B will redirect to j_security_check and execute the customer Ldap Registry class.
Based on the above explained scenario, in your opinion, is there any security loopholes? consider that system B no longer perform authentication but only to grant authorization to the user.
Appreciate your advice. Thanks in advance
Anyway, i am using the ibm websphere server. :)

Getting the name of the current user loged in with j_security_check

Is there any method or way of getting the username of the current user
which is logged in via the j_security_check?
thanks

<p>
<strong><font face="courier new,courier" size="2">FacesContext ctx = FacesContext.getCurrentInstance();</font></strong>
</p>
<p>
<strong><font face="courier new,courier" size="2">ExternalContext ectx = ctx.getExternalContext()</font></strong>
</p>
<p>
<strong><font face="courier new,courier" size="2">HttpServletRequest req = (HttpServletRequest)ectx.getRequest()</font></strong>
</p>
<p>
<strong><font face="courier new,courier" size="2">String user = (String) req.getRemoteUser();</font></strong>
</p>
Kuba

Using j_security_check container authentication with JSF

Hi All,
After quite a bit of looking around, we resorted to using a plain login JSP page with a ServletFilter on j_security_check to have container managed authentication in our JSF based web-site using IBM Websphere 5.1
So, basically every other page but the login page is JSF and just the login page is simple JSP with j_username & j_password.
Recently, I started looking in the direction of trying to directly/programmatically invoke j_security_check using URLConnection object. There are various discussions on this on google groups:
1. http://groups-beta.google.com/group/comp.lang.java.programmer/browse_thread/thread/1a2768da559e43ae/243982a33f02ab80?q=URLConnection%20j_security_check&_done=/groups?q=URLConnection%20j_security_check&hl=en&lr=&sa=N&tab=wg&&_doneTitle=Back%20to%20Search&d=&
2. http://groups-beta.google.com/group/weblogic.developer.interest.security/browse_thread/thread/a375370efec24566/b81dc8320bcbc304?q=URLConnection+j_security_check&_done=%2Fgroups%3Fq%3DURLConnection+j_security_check%26hl%3Den%26lr%3D%26sa%3DN%26tab%3Dwg%26&_doneTitle=Back+to+Search&&d#b81dc8320bcbc304
My current code snippet is as follows:     public String submit(){
          String retVal = "";
          String j_username = getUserId().getValue().toString();
          String j_password = getPassword().getValue().toString();
          ExternalContext externalContext = getFacesContext().getExternalContext();
          String jsessionid = ((HttpSession)externalContext.getSession(false)).getId();
          // Only if sanity checks and validations on j_username & j_password pass, proceed further.
          ApplicationParameter.getLogger().debug("Current jsessionid=" + jsessionid);
          ApplicationParameter.getLogger().debug("submitting login details (userId: " + j_username + " & password: " + j_password + ") to /j_security_check ...");
          try {
               URL jSecurityCheckURL = new URL("http://localhost:9080/raweb/j_security_check;jsessionid=0000" + jsessionid + ":-1&j_username=" + j_username + "&j_password" + j_password);
               HttpURLConnection jSecurityCheckURLConnection = (HttpURLConnection)jSecurityCheckURL.openConnection();
               jSecurityCheckURLConnection.setRequestMethod("POST");
               jSecurityCheckURLConnection.setInstanceFollowRedirects(false);
//               jSecurityCheckURLConnection.addRequestProperty("j_username", j_username);
//               jSecurityCheckURLConnection.addRequestProperty("j_password", j_password);
//               jSecurityCheckURLConnection.setRequestProperty("j_username", j_username);
//               jSecurityCheckURLConnection.setRequestProperty("j_password", j_password);
               jSecurityCheckURLConnection.connect();
               ApplicationParameter.getLogger().debug("j_security_check returned: " + jSecurityCheckURLConnection.getResponseCode() + ": " + jSecurityCheckURLConnection.getResponseCode());
               if (null != externalContext) {
                    String remoteUser = externalContext.getRemoteUser();
                    ApplicationParameter.getLogger().debug("Authenticated username: " + remoteUser);
                    HttpServletRequest httpServletRequest = (HttpServletRequest)externalContext.getRequest();
                    Principal principal = httpServletRequest.getUserPrincipal();
                    if (null != principal) {
                         String userName = principal.getName();
                         ApplicationParameter.getLogger().debug("Authenticated username: " + userName);
               } else {
                    ApplicationParameter.getLogger().debug("Unable to obtain Faces ExternalContext and hence the remote user details.");
          } catch (MalformedURLException ex) {
               ApplicationParameter.getLogger().error(ex);
               retVal = "";
          } catch (IOException ex) {
               ApplicationParameter.getLogger().error(ex);
               retVal = "";
          return retVal;
The above code yields the following output:[DEBUG]: (Newlogin.submit:81) - Current jsessionid=H1QMk3TuyW_W8nSPnOtW-xi
[DEBUG]: (Newlogin.submit:82) - submitting login details (userId: skhanna & password: password) to /j_security_check ...
[DEBUG]: (Newlogin.submit:93) - j_security_check returned: 302: 302
[DEBUG]: (Newlogin.submit:97) - Authenticated username: null
Anyone have any idea why j_security_check returns 302 and also the authenticated username seems to be null indicating that the authentication did not go through!
-Sandeep Khanna

Can you help me!
I try this for two days....
Tomcat 5.0.27
I get this:
Current jsessionid=00F61ABF316F9A1676A41A1EA05177B2
Submitting login details (userId: admin & password: admin) to /j_security_check!
java.net.ConnectException: Connection refused: connect
I have this code in backing bean:
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.Principal;
import javax.faces.context.ExternalContext;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
public String commandButton_action()
String retVal = "";
String j_username = inputText1.getValue().toString();
String j_password = this.inputSecret1.getValue().toString();
URL jSecurityCheckURL = null;
HttpURLConnection jSecurityCheckURLConnection = null;
ExternalContext externalContext = FacesContext.getCurrentInstance().getExternalContext();
String jsessionid = ((HttpSession)externalContext.getSession(false)).getId();
System.out.println("Current jsessionid=" + jsessionid);
System.out.println("Submitting login details (userId: " + j_username + " & password: " + j_password + ") to /j_security_check!");
try {
jSecurityCheckURL = new URL("http://localhost:9080/raweb/j_security_check;jsessionid=0000" + jsessionid + ":-1&j_username=" + j_username + "&j_password=" + j_password);
jSecurityCheckURLConnection = (HttpURLConnection)jSecurityCheckURL.openConnection();
jSecurityCheckURLConnection.setRequestMethod("POST");
jSecurityCheckURLConnection.setInstanceFollowRedirects(false);
jSecurityCheckURLConnection.connect();
System.out.println("j_security_check returned: " + jSecurityCheckURLConnection.getResponseCode());
//System.out.println("Current jsessionid=" + jsessionid);
if (null != externalContext) {
String remoteUser = externalContext.getRemoteUser();
System.out.println("Authenticated username: " + remoteUser);
HttpServletRequest httpServletRequest = (HttpServletRequest)externalContext.getRequest();
Principal principal = httpServletRequest.getUserPrincipal();
if (null != principal) {
String userName = principal.getName();
System.out.println("Authenticated username: " + userName);
} else {
System.out.println("Unable to obtain Faces ExternalContext and hence the remote user details.");
catch (MalformedURLException ex) {
System.out.println(ex);
jSecurityCheckURL = null;
jSecurityCheckURLConnection = null;
retVal = "";
catch (IOException ex) {
System.out.println(ex);
jSecurityCheckURL = null;
jSecurityCheckURLConnection = null;
retVal = "";
return retVal;
I try all this URL:
http://localhost:8080/jSecurityCheck/j_security_check?jsessionid=" + jsessionid + "&j_username=" + j_username + "&j_password=" + j_password
http://localhost:9080/raweb/j_security_check;jsessionid=0000" + jsessionid + ":-1&j_username=" + j_username + "&j_password=" + j_password
TWO DAYS ..... H E L P M E !!!

How to invoke "j_security_check" in jsf page

Hi,
with ADF security configure in Jdeveloper11.1.1.2, it automatically generate login.html and error.html for form authentication.
I found in login.html, the action for form is "j_security_check", and I try to customize login page with jsf page, but don't know how to invoke "j_security_check" in jsf page, there is no more action attribute within af:form and I cannot find the "j_security_check" in commandButton action Expression Build.
Thanks in advanced.
Best Regards,
Bill

Hi,
you will have to add the login form to the JSf page wrapped in f:verbatim so it shows as part ofthe JSF page. In JSF 1.2 using f:verbatim shoucl not be require, but by experience, better is.
If you develop and deploy on WLS, then chapter 30 of the Fusion Developer Guide has a god solution for you to build a login form in JSF completely
http://download.oracle.com/docs/cd/E15523_01/web.1111/b31974/adding_security.htm#BABDEICH
This does not require j_security_check at all
Frank

Automatic "j_security_check" form login submission question

I've been using J2EE 1.4 declarative security with no problems.
It works great. I define the security constraints to the server and
when the relevant pages are hit the login.jsp page gets invoked
where users can login. I happen to be using Tomcat 5 right now, but again it all works fine.
But now I have to receive http User Login requests from a non-java server and automatically log the user in if they were logged in on the prior server since I support the same User-Ids/Passwords.
My question is simple and may only be an HTML trick. On the login page code specifically for users where I already have their User-Id and Password how do I auto-submit the form without requiring user's to press the "submit" button? For this type of user where I know the UserID and Password I will not have any displayed HTML since the user does not have to do anything. For traditional manual login, I always used the following format with the submit button, but again, now I want to bypass the JSP/JSTL/HTML display and submit automatically (using code) instead of requiring the user to press the submit button.
<form method="POST" action="j_security_check" >
<input type="text" name="j_username" size="8" maxlength="8" />
<input type="password" name="j_password" value="FMTPPSWD" size="8" maxlength="8" />
<input type="submit" value=" Login " />
</form>
Help!
I've already orchestrated the solution in my login.jsp configuration to separate between the JSP Display page supporting manual login (using jsp:forward) and non-display auto-login. So my question is only how do I submit a form programatically without using the submit button?
Thanks.

For the benefit of others here is the JSP/JSTL & javascript solution.
This allowed me to create an automated login and use declarative security ...
The following code requires param.UserID and param.PassWord to be set before it is executed...
<form name="AutoLogin" method="POST" action="j_security_check" >
<input type="hidden" name="j_username" value="<%= request.getParameter("UserID") %>" size="8" maxlength="8" />
<input type="hidden" name="j_password" value="<%= request.getParameter("PassWord") %>" size="8" maxlength="8" />
</form>
<script type="text/javascript" language="JavaScript">
document.AutoLogin.submit();
</script>

Security check, j_security_check, Duke's Bank Application

Hello all! I'm a newbie on j2ee and looking for answer to some thoughts.
When looking at the "Duke's Bank Application" I found that the webclient use a form to authorize the user (logon.jsp), the form post to "j_security_check".
- What is "j_security_check" and where is it defined?
- In deplytool I noticed that the BankWAR have some security settings that are set to "Form Based" and that there are some login-stuff in web.xml but...how does it connect to j_security_check?

I also got the same problem whenever I run the web client, the application client is working just fine. Please help!!!
Thanks,
ace

J_security_check / Error 404

Hi,
I am trying to modify an application that works with Apache and Tomcat server.
I tried to add basic form authentication, but when I enter a login-name/password I get an HTTP 404 Error about the requested page, that it was not found.
Here are my web.xml and logon.jsp files:
======================== web.xml ========================
<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"webapps/rosettanet/WEB-INF/web-app_2_2.dtd">
<web-app>

<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>STK</web-resource-name>
<url-pattern>/RnsttHome.jsp</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>customer</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>file</realm-name>
<form-login-config>
<form-login-page>/logon.jsp</form-login-page>
<form-error-page>/logonError.jsp</form-error-page>
</form-login-config>
</login-config>

<security-role>
<role-name>customer</role-name>
</security-role>
<welcome-file-list>
<welcome-file>
RnsttHome.jsp
</welcome-file>
</welcome-file-list>
</web-app>
=======================================================
======================== logon.jsp =======================
<%@ page contentType="text/html" %>
<%-- Log-In Page --%>
<html>
<head><title></title></head>
<center>
<h3>This is a login page.</h3>
<br><br><form action="j_security_check" method=post>
<table>
<tr>
<td align="center">
<table border="0">
<tr>
<td><b>Enter your name: </b></td>
<td><input type="text" size="15" name="j_username"></td>
</tr>
<tr>
<td><b>Enter your password: </b></td>
<td><input type="password" size="15" name="j_password"></td>
</tr>
<tr>
<td></td>
<td align="right"><input type="submit" value="Submit"></td>
</tr>
<tr>
<td><br></td>
</tr>
</table>
</td>
</tr>
</table>
</form>
</center>
</html>
=======================================================
Tomcat is version 3.2 and Apache is version 1.3.19
The application is located inside Tomcat, folder webapps.Any suggestions or ideas?I honestly don't know how to solve this problem.I looked at other similar threads but none of the suggestions or solutions posted work for my case...
Arapakis Giannis
IT-Postgraduate Student

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
what do you get when you enter in an invalid username/password - your logonError.jsp? page
How do you access this page - is your destination page available, and working?
I take it you are trying to access /RnsttHome.jsp
Check the spelling of your URL - maybe try accessing another file under securlty to see if that one works?
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-- It doesn't really matter whether I enter a correct username/password or an invalid one, cause I get the 404 Error. I am not re-directed to the logonError.jsp at all. I can only see that the browser is looking for J_security_check...at least that's what is written on the url when I get the 404 error.
e.g.
http://localhost/myapplication/j_security_check
-- The destination page is RnsttHone.jsp and it is working fine.I don't think that this is the problem.
-- I have tried accessing other files as well.That's not the problem.They all have the same problem with j_security_check...
Arapakis Giannis

J_security_check and web.xml

Hi,
I've set up a web application with form authentication
Here's part of my web.xml:
<security-role>
   <description>user</description>
   <role-name>user</role-name>
</security-role>

<security-constraint>
    <display-name>Secure User Pages</display-name>
    <web-resource-collection>
      <web-resource-name>SecureUserPages</web-resource-name>
      <url-pattern>/jsp/welcome.jsp</url-pattern>
    </web-resource-collection>
    <auth-constraint>
         <description>user</description>
         <role-name>user</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
      <form-login-page>/jsp/login.jsp</form-login-page>
      <form-error-page>/jsp/loginError.jsp</form-error-page>
    </form-login-config>
</login-config>When I request welcome.jsp, I'm taken to login.jsp.
If I enter an incorrect login/password combo, the contents of loginError.jsp show up, but the url says http://hostname:port/appname/jsp/j_security_check
How can I make it so that the url does not show 'j_security_check', but 'loginError.jsp'?
Second, if I enter a correct login/password combo, I am not taken to the page I requested - I stay on the login page, but the information in the form fields gets wiped out. According to my logs, it says that I logged in correctly.
Can someone shed some light on these one or both of these issues?
Thanks in advance,
C

To answer you,
1. j_security_check servlet forwards the request to loginError.jsp on login failure. Hence you don't see any change in URL at the address bar. Use redirect at your application level to see the change in URL at the address bar.
If you want to attain some more flexibility at the login level, probably JAAS can help you out.
2. _"Second, if I enter a correct login/password combo, I am not taken to the page I requested - I stay on the login page, but the information in the form fields gets wiped out. According to my logs, it says that I logged in correctly"_
If you're really sure about correctness of your log, i think, you have directly invoked login.jsp from your browser and then you must have entered a valid username/password.May be this is the reason you get to see login.jsp again on successful login.
Solution, would be to directly invoke welcome.jsp from browser.Provide valid username and password and then see whether you really get to see welcome.jsp or not?

J_security_check with mysql db?

Hi,
I've been trying to figure out this problem for a while now.
I have the following in my web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>All JSP direct access</web-resource-name>
<url-pattern>members/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>
No Access
</description>
<role-name>restricted</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>members/index.jsp</form-login-page>
<form-error-page>jsps/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>NO Access</description>
<role-name>restricted</role-name>
</security-role>
and:
<form method="POST" action="j_security_check">
<input type="text" name="j_username">
<input type="password" name="j_password">
<input type="submit" name="Submit" value="Submit">
in index.jsp
If i enter a username and password it just brings me back to the same error page (error.jsp). Infact i get the same thing with no matter what i try to access in /members/
Actually, i don't know how to link mySQL 5.1 to BeaWeblogic 8.1 i've read some documents about creating a security realm with RBDMS but there doesn't seem to be such option (i.e. theres LDAP, Active Directory) but nothing about a database. Any ideas?
Message was edited by:
hyowza
Message was edited by:
hyowza

Hi,
did you solve this problem? I have the same thing to do. I want to receive username and password from a html form pass it to a servlet, do some things and then call the standard j_security_check functionality.
regards
Guido

J_security_check internal server error.

Did somebody experienced this error? and what is the solution?
Thanks. I using WL 6 sp1 on NT server 4.
1- I created a user 'xena' in WL console; note: 'xena' does not belong to the
WL Administrators group
2- I created an application with the following web.xml and i war it and deploy
it. The web.xaml content is included below.
I connect through the browser i get the login page. I enters the correct credentials
for 'xena'; i got redirected to the
LoginError.jsp page. I re-enter the correct credentials in the
LoginError.jsp I get the following error page:
http://someip:7001/csearch/j_security_check
Error 500--Internal Server Error
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.5.1 500 Internal Server Error
The server encountered an unexpected condition which prevented it from fulfilling
the request.
The web.xml file contents:
<?xml version="1.0" ?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 1.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
<welcome-file-list>
<welcome-file>NewUser.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name> MySecureBit0 </web-resource-name>
<description>no description </description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Administrators</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>MyRDBMS Realm</realm-name>
<form-login-config>
<form-login-page>Login.jsp</form-login-page>
<form-error-page>LoginError.jsp</form-error-page>
</form-login-config>
</login-config>
</web-app>

Are you still running into this issue?
Also, please note that we recently released a new version of Oracle Help, version 5.0, available here:
http://www.oracle.com/technology/tech/java/help/index.html
Regards, Maria

J_security_check and cookies

Hi all. Im on a WLCS 3.5 with WLS 6.0 and am using Form based authentication against
the RDBMS realm of the commerce server. The login page has a j_username and a
j_password. If i want to add a check box for the user to approve to store a cookie
on his machine, I cant get this new parameter out when it is passed to the j_security_check.
After the user is authenticated, i dont have his password for storing it in a
cookie. It seems that after j_security-check authenticates, the request object
notes any parameters. How do i store cookies then ? If i do , does the password
needs to be encrypted in the cookie ? How do i know if the user has been already
authenticated . Is there a boolean isAuthenticated() method ? Sorry, if this question
belongs to interest.security. Since it belongs to WLCS_USER of the WLSC RDBMS
Realm, i posted here.
Any help is greatly appreciated. Thanks Mallik

BTW Servlet 2.3 specs says this:
~
J2EE.12.5.3.1 Login Form Notes
Form based login and URL based session tracking can be problematic to implement.
Form based login should be used only when sessions are being maintained by
cookies or by SSL session information.
~
This is very vague statement as it does not say form based login cannot use url rewriting. This is what the same specs say about sessions:
~
SRV.7.1.3 URL Rewriting
URL rewriting is the lowest common denominator of session tracking. When a
client will not accept a cookie, URL rewriting may be used by the server as the basis
for session tracking. URL rewriting involves adding data, a session id, to the URL
path that is interpreted by the container to associate the request with a session.
The session id must be encoded as a path parameter in the URL string. The
name of the parameter must be jsessionid. Here is an example of a URL
containing encoded path information:
http://www.myserver.com/catalog/index.html;jsessionid=1234
SRV.7.1.4 Session Integrity
Web containers must be able to support the HTTP session while servicing HTTP
requests from clients that do not support the use of cookies. To fulfil this
requirement, web containers commonly support the URL rewriting mechanism.
~

J_security_check error

We are tyring to deploy a simple application using form-based authentication
on iPlanet Application Server 6.0 SP 2. The login form shows up, however
regardless of userid/password entered we get the following error:
// on the screen
GX Error (GX2GX)
socket result code missing!!!
URL is trying to go to ...NASApp/myDir/j_security_check
// in the error log
[28/Jun/2001:16:20:29] warning ( 722): CrackRequestGuid reports: NameTrans
lookup failed for {Applogic Servlet watch_j_security_check}
Our login page is:
form method="POST" action="j_security_check">
<input type="text" name="j_username">
<input type="password" name="j_password">
<input type="submit" value="login">
</form>
We were using the GUI deployment tool and were following the manual.
Can anyone help me?
Thanks ...
Pino.

Just check your registry under the key
SOFTWARE/iPlanet/ApplicationServer/6.0/J2eeModule/<your-war-module> ..
Here check the auth-method key. It should contain the word FORM in caps. If it
is in small or mixed case, the the application will fail. Change it to FORM.
Also check the "login-config" key here. It should also display the word Form in
caps.
You can do this and run the application again. Make sure you restart the
web-server.
Irfan Ahmed.
"Caracciolo, Pino [CRK:P914:EXCH]" wrote:
We are tyring to deploy a simple application using form-based authentication
on iPlanet Application Server 6.0 SP 2. The login form shows up, however
regardless of userid/password entered we get the following error:
// on the screen
GX Error (GX2GX)
socket result code missing!!!
URL is trying to go to ...NASApp/myDir/j_security_check
// in the error log
[28/Jun/2001:16:20:29] warning ( 722): CrackRequestGuid reports: NameTrans
lookup failed for {Applogic Servlet watch_j_security_check}
Our login page is:
form method="POST" action="j_security_check">
<input type="text" name="j_username">
<input type="password" name="j_password">
<input type="submit" value="login">
</form>
We were using the GUI deployment tool and were following the manual.
Can anyone help me?
Thanks ...
Pino.

J_security_check redirection problems impossible to solve

Hi!
I've been searching and trying to solve this problem for a couple of days now. I'm new in JDeveloper development and defined ADF security. Authentication works fine, since after I try to go to protected (security-constraint) page, the login page appears and then after the login, if I type the address to the same page again, I can view it. The problem is that j_security_check doesn't redirect me to this page. I've tried everything, using different redirection pages, with faces, without, with /*, without, ... I always got 404 not found page.
Then, with the help of File monitor we figured out that jawaw.exe process is looking for some css file in the subfolders of login page folder. When we put the folder with css file there, we don't get 404 page anymore, but j_security_check redirects us to this css file?!?!? If I then delete the session cookies and login again, 404 page appears again.
What is wrong? PLEASE! I'm giving up here.
I've searched files in entire application that include this css file but haven't found it anywhere that it shouldn't be.
I would really appreciate any help on this since I don't know what to do any more.
Cheers, BB!

I am facing exactly the same issue, login page works fine with JAAS, but i get 404 page not found error. If i put the url of the page directly in url after authentication, then it works fine.my login page is not in WEB_INF folder
--Mukul

J_SECURITY_CHECK

Similar Messages

Maybe you are looking for