• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Devaka Cooray
  • Tim Cooke
Sheriffs:
  • Rob Spoor
  • Liutauras Vilda
  • paul wheaton
Saloon Keepers:
  • Tim Holloway
  • Tim Moores
  • Mikalai Zaikin
  • Carey Brown
  • Piet Souris
Bartenders:
  • Stephan van Hulst

set original page for j_security_check

 
Ranch Hand
Posts: 84
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
i have pages on my tomcat 4.0.2 server that protected with form-based authentication.
i notice that, if i directly do 'http://localhost:8080/j_security_check?j_username=uid&j_password=pwd' i'll get response 'Apache Tomcat/4.0.2 - HTTP Status 400 - Invalid direct reference to form login page'.
so, what should i do, so that, i can bypass the login form and go directly to the restristed page.
 
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You either want security or you don't want security.
Why do you want to bypass the security page?
I'd recommend against doing this anyway, since you have placed the username and password fields on the URL, and even with encryption they can turn up in log files...
There are ways to perform a login from the server side, but I'm not sure how to accomplish this in Tomcat. ie if the username and password are available on the server you can lg them in without requiring the login screen.
This is useful for things like Registration pages, where you already have the username and password, but you don't want to throw them at the login screen again just so they can get security credentials - you already have all the data.
Can we get more details on why you want this, maybe there is another solution.
Dave
 
Ariffin Ahmad
Ranch Hand
Posts: 84
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
well, i do want a security...
and i do want a login page.
but, there will be some cases that need me to bypass the login page by only supplying username and password.
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
But if you have both then you actually have neither.
Passing the username and password on the URL negates and security you have.
But that said, once you have the username and password on the server, there should be a call you can make to explicitly authenticate the user.
But I don't know what it is. I'll go have a look, but no promises.
Dave
 
Ariffin Ahmad
Ranch Hand
Posts: 84
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
well, it's not necessary to put the username and password in the url. i can put it in a form and then post it with "POST" method. of course i can use my normal login page but, the problem is, the login page is on another server, and that server will redirect the browser, together with the username and password to another server, which handle the authentication.
i found 1 way to get around it. i just create another jsp page and then use request.getParameter to get the username and password and store it in the session variable. and that, i use response.sendRedirect to redirect the browser to some restricted realm on the server and of course because of this, tomcat will redirect the normal login page. but, in the login page, i'll get the username and password from the session variable, and if theres any, i just use response.sendRedirect to redirect the login page to j_security_check, together with the username and password. if authenticated, tomcat will redirect me back to the original page...
the problem is, it seem quiete messy.
i hope there's a cleaner way to do this....
anyway,
thanks...
cheers.....
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The best I could find in 5 mintes or less is from here:
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
and possibly has something to do with Realm.authenticate() which may allow you to authenticate the user IF you can get access to the realm.
Rather than calling j_security_check, you would write a separate login Servlet to accept the username and password, and it would also require the page you want to redirect to after authentication.
myHost:8080/MyLoginServlet?username=dave&password=bites&resource=secured.jsp
Dave
 
Ariffin Ahmad
Ranch Hand
Posts: 84
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
i got the idea....
thank a lots, mate......
cheers.....
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
No charge
Dave
(although there is a tip jar)
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Everybody,

My problem is that i want to auto-login to a web application which use j_security_check mechanism and for which i have the
"login,password" credentials.

So is someone knowing how to bypass this mechanism ?

thank you in advance.
 
If you try to please everybody, your progress is limited by the noisiest fool. And this tiny ad:
Smokeless wood heat with a rocket mass heater
https://woodheat.net
reply
    Bookmark Topic Watch Topic
  • New Topic