I am learning Java servlets on Tomcat environment. I am learning how to use form based login authentication using j_security_check. So, in my servlet, I have a login page that has j_username and j_password. In web.xml file of that servlet, I have the welcome page list indicating my landing page, "landing.html". So, ideally, after successful login, I want the user to get redirected to "landing.html" page.
Without the authentication (no form based authentication), My servlet opens up and goes to "landing.html" page as expected ("localhost:8080/MyServlet" - shows the content of the landing.html).
However, now, after a successful login with j_security_check, for some reason, I get automatically redirected to the .css file for "landing.html" file. I can't understand why is this happening.
Is there a particular way how I can tell the server to just load the "landing.html" page after successful authentication and not forward it to any where else?
EDIT
*Okay, I solved it.
The css file which was loading after successful authentication was listed within the <head></head> tags of the login.html page where the j_username and j_password are. I added that css file to make the login page's design consist with the rest of the website. My guess is that when the server is re-loading the wanted resource, for some reason it was simply re-loading the top css file from the head tag.
Really weird.
So, is j_security_check is the best way to do any authentication for websites on Tomcat or is there a better and more reliable way?*
The behavior of form-based authentication is the following:
the browser sends a request to a protected URL
the server intercepts its request, sees that you're not authenticated, and redirects to the loginf form page
the user logs in
the server redirects to the URL that triggered the authentication: the protected URL asked in the first step.
This is good, because it allows a user to bookmark a protected page, come back the next day to this bookmarked page, log in, and go directly to the bookmarked page rather than the welcome page.
My guess is that the landing page is not protected, but its CSS file is. So the request that triggers the authenticationis the request that tries to load the CSS file, which causes the user to be redirected to the CSS file.
Related
My problem is that I have 2 jsp files in my project: login.jsp and adminpanel.jsp.
My aim is to show the user the login.jsp template and let him log in via a form inside it.
After login, I want my app to show adminpanel.jsp and this is my problem that I can still access it by just writing url .../adminpanel.jsp.
How can I disable this option? It just makes no sense to login if you can reach adminpanel.jsp so easily.
what you need to do is set a session variable when user logs in via login.jsp ie only if both username and password is correct .
after that on all other pages ( including adminpanel.jsp ) check if the session variable exist. If yes allow user to view the page , else redirect to login page.
Also check http_redirect or url rewritting by which you can mask original url.
Check links below for more info
http://www.jsptut.com/sessions.jsp
http://www.javatpoint.com/url-rewriting-in-session-tracking
First, your authentication should be handled by a servlet (essentially your controller class). Second all views that should not be directly accessed like in your case ought to be placed inside your WEB-INF folder, forcing your application to call the appropriate controller class. It is here where you force redirects or forwards based on your business logic and session /cookie management.
I'm new in web programming, so sorry if I'm asking trivial questions.
We have web application with login page using https, web server is JBoss, implementation in java/javascript. Lets assume, that we get this page accessing www.aaa.com, lets call this login page A.
The goal is to write proxy application with similar login page + some additional info (lets call it B) that will be accessed by www.bbb.com. Proxy application should read credentials, do some job and redirect request to www.aaa.com with those credentials, after that aaa.com will perform its job. In case of login failure, B page (that is part of bbb.com) should display the same error as was supposed to display page A.
During redirection, I can't change URL from bbb.com to aaa.com. It should always show bbb.com although we are doing job on another web server.
Please advise how it can be done (links to examples of redirection implementation are appreciated), whether there are some pitfalls related to redirection to https and hiding target url, what should be performed in aaa.com to allow such access.
I believe you are looking for HTML frame
see HTML frame tag URL of browser not changing
Redirecting application link to Java - GWT Custom page.
Whenever user will login through my APP.
and user hit button(say add record) then redirection should happen i.e. page should redirected to GWT custom page from application link.
How to call servlet when application link hit by button?
after that How to call GWT page from called servlet.
Wants to show GWT custom page with data present in REQUEST.
Hidden fields available on UI Screen which is developed in GI .
These fields can be passed to GWT custom applications launched from the application link.
APP(UI) --> SERVLET---> GWT page(UI with data present in request i.e jsessionid,hidden fields)
what changes need to do in web.xml ?
Plz provide any helpful document,link,sample code and any idea
Hope for the best co-operation
Thanks in advance.
Do you already have a fixed login page (servlet) tah you must use? Then do this:
Window.Location.assign(loginUrl) will take you to a new page. Your GWT app will be "closed" and all state will be lost.
Your login servlet should redirect back to your GWT page when done. Usually this is done by supplying a URL parameter when invoking login page - check the login servlet. Usually something like http://yourserver.com/login?returnTo=GwtAppUrl.
At this point your user is logged in, which means that servlet has set a session cookie. From this point on (until logout or session time-out) your GWT and GWT-RPC will use this session automatically (browser sends session cookie) - you don't have to do anything.
You can pass some data back to GWT by fragment identifier http://yourserver.com/login?returnTo=GwtAppUrl#somePage/parameter1/parameter2. However better option is to just use GWT-RPC to get the data from server.
Otherwise, if you are making everything from scracth, you can use GWT do do the login: How to implement a login page in a GWT app?
I'm using spring-security and struts 2. Most of our pages have content that is unprotected mixed with some protected content (user controls) so it is not like the examples where you go to a certain page and spring-security intercepts everything. Rather I'd like to be able to work with a login form that you access by pressing a login button on any page. Once you've succesfully authenticated you should be redirected to the original page.
This is where I'm stumped. Sending the URL to redirect to can be done by adding it into the form action like so:
<form action="/j_spring_security_check?spring-security-redirect=${url}" method="POST">
<...>
</form>
The problem is that after this login fails spring-security redirects to the same page (it's set up to do that in the application context) and I have no way to retrieve the url I passed to spring-security-redirect. If this were accessing one of my own classes I would normally just pass it along as a hidden parameter in the form or a request parameter of my login controller. But since spring security is the one doing the redirection I'm a little lost.
So far the only solution I've come up with is trying to store this url in the sesssion, but then there's also no good way to remove it after a login completes succesfully. Any ideas?
If you use Spring Security 3.0, you can customize AuthenticationFailureHandler. For example, its default implementation can be configured to use forward instead of redirect.
I have an application running under WebLogic that is using standard forms authentication. The login page is a JSP that presents the login form that will post to j_security_check. So as you would expect, when a user tries to access a page but is not yet authenticated, they will be redirected to the login.jsp.
My question is, how can I determine the page that the user was attempting to hit before WebLogic redirected them to the login page? I wish to use this to change the content of the login page depending on the user's destination. I'm not seeing anything in the request ojbect that would tell me this.
Thanks for any hints!
You can use:
weblogic.servlet.security.ServletAuthentication.getTargetURLForFormAuthentication(request.getSession())
This is a public static method and returns a String.
I've tested and it works for me.
We concluded there was no way to find out the target URL from the login page. I woudln't mind being proven wrong. :)
In the meantime, the solution was to deploy the content in second WAR with it's own login page providing the alternate content. Lots of overhead for what should be a simple problem to solve.