• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Rob Spoor
  • Tim Cooke
  • Junilu Lacar
Sheriffs:
  • Henry Wong
  • Liutauras Vilda
  • Jeanne Boyarsky
Saloon Keepers:
  • Jesse Silverman
  • Tim Holloway
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Mikalai Zaikin
  • Piet Souris

Web security: override "j_security_check" ?

 
Ranch Hand
Posts: 311
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

Any advice on the following would be greatly appreciated.

I'd like to write my own "j_security_check" servelt. Thus we may have Form-based-login, but the login page would have:
< form action=myServletUrl .. >
Instead of the standard
< form action=j_security_check ... >

"myServlet" would validate the user/password, and if successful, would redirect the user to some fixed "welcome.html" page.
The reason for this customized servlet is crazy requirements (least of them being, login done using GET instead of POST, stupid as it might sound).

My question: how would "myServlet" tell the container that login has been successful ? Because I imagine the container checks the session for some "logged in" flag , of checks the request for presence of userPrincipal. If "myServlet" can't fix this data, then the container won't know user is logged in, and will repeatedly prompt him to login...
If it matters, we're using websphere 5.1.1 (j2ee 1.3).

Thanks a lot
 
Ranch Hand
Posts: 119
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I investigated doing something similar in WebSphere 5.1 about 18 months ago & got nowhere except closer to Asprin. WebSphere implements j_security_check using it own classes (just like all containers). After a lot of digging, I found out what the class was called (sorry, can't remember now), but couldn't figure out how to override it.
If the main driving force is the need to use GET instead of POST, I wonder if it might be possible to have your designated login page point to your own servlet (using GET), then have your own servlet internally call j_security_check (i.e. mimic the POST call from the page) & let WebSpheres code do its thing verifying the username/password & setting te user to logged on in its internal registry?
I haven't tried this so I don't know if it will work. I can envisage a future requirement to log a user in on the basis of more information than a username & password - just think of a standard internet bank login - and currently don't know how we'd handle this other than by some sort of a filter on the j_security_check. If you succeed in overriding the WebSphere implementation, I'd be very interested in finding out how you did it.

Cheers,
Louise
 
Sol Mayer-Orn
Ranch Hand
Posts: 311
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks very much for your reply.
I'm not optimistic about overriding websphere's j_security_check, but if I get anywhere i'll gladly share.
 
You showed up just in time for the waffles! And this tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
https://coderanch.com/wiki/718759/books/Building-World-Backyard-Paul-Wheaton
reply
    Bookmark Topic Watch Topic
  • New Topic