• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

FORM authentication chapter 12 HF Jsp's & Servlets

 
Mike Rayl
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have a security constraint on a servlet that should process a doPost(). The http method is for POST in the DD. When not logged in I'm prompted with the loginPage.html (as I expect). When I login with proper credentials the doGet() runs in the servlet that has the security constraint. Has anybody come across this problem? I would have expected that after I login, the doPost() should have run with parameters available. I don't have this problem when using BASIC or DIGEST authentication. I've also setup in Tomcat 5.028 to use SSL (this is working). Any help would be appreciated.
 
Charles Lyons
Author
Ranch Hand
Posts: 836
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is probably being caused by the redirection which occurs after using container login. Your login form should post back to j_security_check, which the container takes as a flag to authenticate the user. After authentication succeeds, the container attempts to redirect the client to the page originally requested (before seeing the login). As a result, it will probably use a GET redirect, hence the reason why your doGet() and not doPost() is being invoked. The fact that BASIC and DIGEST work okay would suggest a redirection problem with FORM, as BASIC and DIGEST don't redirect the client (since they use additional browser-dependent windows and do not need to swap the user's requested page for a login page).

I don't know if this is the answer or not as I haven't tried this myself (or had this problem to be honest). Using a redirect, any request parameters will also be lost. To save the trouble, it might be worth doing an authentication check before you get to any forms requiring POST submission - that way you'll bypass this problem completely. I've never had the need to have a login during a POST submission.

What you are experiencing is more technically a "side effect" of the Redirect-After-POST pattern used to prevent duplicate form submission. For a particular reference, see the The Query String section of:

http://ppewww.ph.gla.ac.uk/~flavell/www/post-redirect.html

Hope that helps!
 
Mike Rayl
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sounds like you are right Charles. It doesn't appear to retain the original parameters from the form that invoked the login. i guess this would mean any page posting where you need a login would have to be kept inside the WEB-INF folder some place so no one could access directly them directly before they are logged in. Thanks again Charles.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic