• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Jeanne Boyarsky
  • Ron McLeod
Sheriffs:
  • Paul Clapham
  • Liutauras Vilda
  • Devaka Cooray
Saloon Keepers:
  • Tim Holloway
  • Roland Mueller
Bartenders:

can I have two login page using form-based authentication?

 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi there,
I have a very common scenario where user can input username and password from home page and be brought to the protected page. yes. that's it.
and I could not make it happen using form-based authentication.
you specify the login page (any attempt to visit the protected resources will be redirected to the login page configured in web.xml) . and here is a typical one looks like in web.xml:

<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>

All right. now we have two login pages. home page and the one specified in the web.xml.
If I login in with the home page (action of the form point to a protected resource) . I will be still taken to the configured login page. and you will login twice before you get where you wanted!!
Ok, how about just configure the home page as login page, like
<form-login-page>/home.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
No. as you know, you must specify the form action called j_security_check. and if you try to login with the above configuration.
you will get error complaining that it doesn't know where to go next.

BTW, I even tried using request.getParameter("username") in the login.jsp page to try to get the post data that I 've submitted in home page. and you get null.
any help is highly appreciated !!!
 
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
you can use any jsp file as login page in form based authentication. Remember this is the page to which user will be redirected in case of session expiry or in case anyone tries to access the pages within web application according to security constraints defined.

Hope this helps.
 
alex chow
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
thanks for the quick reply, but as I mentioned in the starting thread:
"Ok, how about just configure the home page as login page, like
<form-login-page>/home.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
No. as you know, you must specify the form action called j_security_check. and if you try to login with the above configuration.
you will get error complaining that it doesn't know where to go next. "

could you just tell me how to create your own login page without being redirected to the configured login page or if the login page is the configured login page,
you can name your own action other than "j_security_check", so far as I know, you simply can't, and this is the limitation for j2ee web tie security.
 
Goutham Pallipati
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You can not mix up things.

Either you use Form Based Authentication (You can design your own login page still and configure, but only one login page per application) or you design your own security and authentication mechanism.

The Access Control to Resources is set using <security-constraint> if your web application is properly organized then you can omit some or all resource from security.(When they are accessed you wont be kicked back to the login page)

Check this link. http://java.dzone.com/articles/understanding-web-security

The main aim behind Form Based Authentication is to check for whether user is active or not when accessing a resource within web application. Previously this was achieved by writing filters and checking for session and roles on access of resource. Now this has been made simple and user need not code for security checks.
 
alex chow
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
okay, so, I can't have two login pages using form-based authentication.
 
Doe, a deer, a female deer. Ray, a pockeful of sun. Me, a name, I call my tiny ad ...
Smokeless wood heat with a rocket mass heater
https://woodheat.net
reply
    Bookmark Topic Watch Topic
  • New Topic