Win a copy of Practical SVG this week in the HTML/CSS/JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

How to render an image in a j_security_check login page

 
Jay Tai
Ranch Hand
Posts: 221
Java MySQL Database Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm having an annoying problem. I can't seem to render an image in my login page and I"m almost sure the j_security is preventing access to my images. If that is the problem, then I don't know how to modify the web xml or Filter settings to allow access to my images on the login page. The rest of my application renders images fine once the user is authenticated. The problem is just in the login page. Thanks in advance!

login.jsp



web.xml


LoginFilter.java (this filter just picks up the authenticated user details)



 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65535
108
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why is your image element using the file protocol? You do realize that that can only work when developing on your local PC, right?
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
For starters, you should replace the local path ("C:\...") with a path that makes sense inside of the web app - it's hard to tell, but it could be just "manlogo_1.jpg".

Next, the security applies to "/*" - so that's every possible URL of the web app, which includes images, JavaScript, CSS and whatever else is in there. You probablv want to protect only a subset of that (maybe a "secure" subdirectory), so that everything outside of that can be served without authentication.
 
Jay Tai
Ranch Hand
Posts: 221
Java MySQL Database Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sorry I made a mistake when I posted this. I WAS using the file element when develping on the local server but i then changed it to the URL context when deploying the app, although it doesn't seem to recognize the image in the login page. Using the same path renders the images in the rest of the application but not the login page.

Next, the security applies to "/*" - so that's every possible URL of the web app, which includes images, JavaScript, CSS and whatever else is in there. You probablv want to protect only a subset of that (maybe a "secure" subdirectory), so that everything outside of that can be served without authentication.


I think this is my problem and I'm not sure how to protect only a subset. Do I list all the folders that i want to protect in the security-constraint tag of the web.xml?
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It's possible to use multiple <url-pattern>...</url-pattern> elements in a <web-resource-collection> - so you can list all the directories you want to protect.
 
Jay Tai
Ranch Hand
Posts: 221
Java MySQL Database Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks! I will try that, but I also have a filter which intercepts the login form so even if I only include the important directories won't the filter still block images? (I did include a path-exclude tag as an init-param below the filter definition). Thanks again
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why would the filter block something? That's the job of the servlet container if you use declarative security. But you say "which intercepts the login form" - so it doesn't intercept all request? Just the login form?
 
Jay Tai
Ranch Hand
Posts: 221
Java MySQL Database Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you for helping me understand these concepts so much better. I modified the security as follows:



It now renders images. Everything seems to work OK except I am able to call java actions directly in the browser. For example, /showMembs is a class that displays a list of users. If I type [context]/showMembs in the browser, it by passes the security constraint and displays the list. Looking at my application directory structre is located in in the WEB-INF folder. This is supposed to be a security constraint according to the above snippet so why am I able to call actions directly into the browser?

 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
<url-pattern>/WEB-INF/*</url-pattern>

This doesn't accomplish anything, because nothing inside of WEB-INF will be served anyway.

Looking at my application directory structre is located in in the WEB-INF folder.

Are you talking about where the class file is located? That's not the path - "/showMembs" would be, so that's what you need to protect. If you want to protect all servlets (for example), you might map them all using some common prefix, like "/servlet/showMembs", and then protect "/servlet/*".
 
Jay Tai
Ranch Hand
Posts: 221
Java MySQL Database Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes of course. WEB-INF is not publicly accessible anyway. This makes a lot more sense now. Thanks a lot for your excellent guidance!
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!