How to forward to j_security_check?

2
votes

I'm using form based authentication (JBOSS/JAAS) but my form is sending the data to my Servlet so I can perform some checks before trying to login.

Now I need to forward to j_security_check but what I tried didn't work (404 error)...

How can I redirect/forward to the j_security_check (please note the application is running over https / sssl) ?

I can make it work with a redirect and the params go in the URL, but that is not safe (as the user/pass stays in the browser history, etc)...

Any ideas?

4
jakarta-eejbossjaas

4 Answers

2
votes

I see this is an old post, but I wanted to share an answer.

If the original request is POST, you can simply forward to j_security_check after you do some processing.

...
request.getParameterMap().put( "j_username", new String[]{ userId } );
request.getParameterMap().put( "j_password", new String[]{ password } );

try 
{
    request.getRequestDispatcher("/j_security_check").forward( request , response );
    return null;
} 
catch (ServletException e) 
{
    logger.error( e );
} 
catch (IOException e)
{
    logger.error( e );
}
3
votes

Tomcat only accepts requests to j_security_check if it initiated a login process before for that session. So first you need to try to access a security-constraint resource. Then Tomcat will redirect you to the login form. Only then are you allowed to access j_security_check.

0
votes

I know this is a too old question but I had the same problem and the unique way that I found to solve it was using something like this:

protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {

    String user = req.getParameter("j_username");
    String pass = req.getParameter("j_password");

    resp.sendRedirect("/Project-web/j_security_check?j_username=" + user    + "&j_password=" + pass);

}
0
votes

Since I just had the same problem, and the others answers have not proven to work for me, I wanted to share my own solution:

1) Create a new JSP, say, loginForward.jsp, for forwarding purposes only:

<%@ page language="java" %>
<%
    final String username = request.getParameter("j_username");
    final String password = request.getParameter("j_password");
%>
<body onload="document.getElementById('creds').submit()">
    <form name="creds" id='creds' method="POST" action="j_security_check">
        <input type="hidden" name="j_username" value="<%= username %>">
        <input type="hidden" name="j_password" value="<%= password %>">
    </form>
</body>

2) In your servlet, forward to that JSP:

final String redirectURL = String.format("loginForward.jsp j_username=%s&j_password=%s", username, password);
RequestDispatcher requestDispatcher = request.getRequestDispatcher(redirectURL);
requestDispatcher.forward(request, response);
return;