Win a copy of Penetration Testing Basics this week in the Security forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

App serving JSF instead of JSP, j_username always null

Irean Garland
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello guys,

Of several JSF applications I support, only one does this: the files are in fact jsp but the requests to the server must be done with the jsf extension.

This wasn't a problem until recently when I was asked to add login audit functionality, I realized j_username and j_password were always received as null by the access management filter. Seems they knew about this because worked around it by getting the user name from getRemoteUser().

Problem is getRemoteUser() will be null if the authentication fails, and in this case I simply can't get the provided user name to log an audit record.

It actually took me a while to realize that this was happening because the server login page is set to 'login.jsf' instead of 'login.jsp', the filter won't get the values unless the login page name matches the real file name.

So what I have to do, while having no idea of how, is to change the application so it behaves like the others and stops handling the jsps as jsfs for the web browser.

Thanks for reading/helping.
Don't get me started about those stupid light bulbs.
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic