Search...
FAQs Subscribe
Pie
FAQs
Recent topics Flagged topics Hot topics Best topics
Search...
Search within Security Search Coderanch
Advance search Google search
Register / Login
thread boost book review grid granny polymorphism advertise on coderanch
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
book review grid thread boost meaningless drivel advertise on coderanch building better world book
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Ron McLeod
  • paul wheaton
  • Jeanne Boyarsky
Sheriffs:
  • Paul Clapham
  • Devaka Cooray
Saloon Keepers:
  • Tim Holloway
  • Roland Mueller
  • Himai Minh
Bartenders:

Web security: override "j_security_check" ?

 
Sol Mayer-Orn
Ranch Hand
Posts: 311
posted 20 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
Hi,

Any advice on the following would be greatly appreciated.

I'd like to write my own "j_security_check" servelt. Thus we may have Form-based-login, but the login page would have:
< form action=myServletUrl .. >
Instead of the standard
< form action=j_security_check ... >

"myServlet" would validate the user/password, and if successful, would redirect the user to some fixed "welcome.html" page.
The reason for this customized servlet is crazy requirements (least of them being, login done using GET instead of POST, stupid as it might sound).

My question: how would "myServlet" tell the container that login has been successful ? Because I imagine the container checks the session for some "logged in" flag , of checks the request for presence of userPrincipal. If "myServlet" can't fix this data, then the container won't know user is logged in, and will repeatedly prompt him to login...
If it matters, we're using websphere 5.1.1 (j2ee 1.3).

Thanks a lot
 
louise rochford
Ranch Hand
Posts: 119
posted 20 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
I investigated doing something similar in WebSphere 5.1 about 18 months ago & got nowhere except closer to Asprin. WebSphere implements j_security_check using it own classes (just like all containers). After a lot of digging, I found out what the class was called (sorry, can't remember now), but couldn't figure out how to override it.
If the main driving force is the need to use GET instead of POST, I wonder if it might be possible to have your designated login page point to your own servlet (using GET), then have your own servlet internally call j_security_check (i.e. mimic the POST call from the page) & let WebSpheres code do its thing verifying the username/password & setting te user to logged on in its internal registry?
I haven't tried this so I don't know if it will work. I can envisage a future requirement to log a user in on the basis of more information than a username & password - just think of a standard internet bank login - and currently don't know how we'd handle this other than by some sort of a filter on the j_security_check. If you succeed in overriding the WebSphere implementation, I'd be very interested in finding out how you did it.

Cheers,
Louise
 
Sol Mayer-Orn
Ranch Hand
Posts: 311
posted 20 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
Thanks very much for your reply.
I'm not optimistic about overriding websphere's j_security_check, but if I get anywhere i'll gladly share.
 
Consider Paul's rocket mass heater.
reply
reply
    Bookmark Topic Watch Topic
  • New Topic
Boost this thread!
Similar Threads
More...