views:

322

answers:

2

j_security_check just doesn't seem enough for me to perform login process. So, instead of submitting the form to j_security_check i created my own servlet and in that i am programmatically trying to do login. This works but i am not able to redirect to my restricted resource. Can anybody tell me what can be the problem? This is processRequest method of my servlet :-

protected void processRequest(HttpServletRequest request, HttpServletResponse response)
    throws ServletException, IOException {
        response.setContentType("text/html;charset=UTF-8");
        PrintWriter out = response.getWriter();
        try {
            String strUsername = request.getParameter("txtusername");
            String strPassword = request.getParameter("txtpassword");
            if(strUsername == null || strPassword == null || strUsername.equals("") || strPassword.equals(""))
                throw new Exception("Username and/or password missing.");
            request.login(strUsername, strPassword);
            System.out.println("Login succeeded!!");

            if(request.isUserInRole(ROLES.ADMIN.getValue())){//enum
                System.out.println("Found in Admin Role");
                response.sendRedirect("/app/Admin/home.jsf");

            }
            else if (request.isUserInRole(ROLES.GENERAL.getValue()))
                response.sendRedirect("/app/Common/index.jsf");
            else //guard
                throw new Exception("No role for user " + request.getRemoteUser());


        }catch(Exception ex){
            //patch work why there needs to be blogger here?
            System.out.println("Invalid username and/or password!!");
            response.sendRedirect("/app/Common/index.jsf");
        }finally {
            out.close();
        }
    } 

Everything works fine and i can even see message "Found in Admin Role" but problem is even after authenticating i am not able to redirect my request to some other page.

A: 

Remove those lines, they doesn't belong there:

    response.setContentType("text/html;charset=UTF-8");
    PrintWriter out = response.getWriter();

and

        out.close();

If you close the OutputStream, the redirect cannot be taken place. You should in fact have seen an IllegalStateException: Response already committed in the server logs.

BalusC
Hi BalusC,Removing those three lines doesn't help still. It still doesn't redirect me. Here is what i get in Glassfish Admin Console :-FINE: [Web-Security] Checking Web Permission with Principals : nitesh, AdminFINE: [Web-Security] Web Permission = (javax.security.jacc.WebRoleRefPermission AuthenticationCheck Admin)FINE: [Web-Security] hasRoleRef perm: (javax.security.jacc.WebRoleRefPermission AuthenticationCheck Admin)FINE: [Web-Security] hasRoleRef isGranted: trueINFO: Found in Admin Role
Ankit Rathod
FINE: SecurityContext: setCurrentSecurityContext method calledFINE: [Web-Security] Policy Context ID was: Blogger/BloggerFINE: [Web-Security] hasUserDataPermission perm: (javax.security.jacc.WebUserDataPermission /Admin/home.xhtml GET)FINE: [Web-Security] hasUserDataPermission isGranted: trueFINE: [Web-Security] Policy Context ID was: Blogger/BloggerFINE: [Web-Security] Generating a protection domain for Permission check.FINE: [Web-Security] Codesource with Web URL: file:/Blogger/BloggerFINE: [Web-Security] Checking Web Permission with Principals : null
Ankit Rathod
FINE: [Web-Security] Web Permission = (javax.security.jacc.WebResourcePermission /Admin/home.xhtml GET)FINE: [Web-Security] hasResource isGranted: falseFINE: [Web-Security] hasResource perm: (javax.security.jacc.WebResourcePermission /Admin/home.xhtml GET)FINE: [Web-Security] Policy Context ID was: Blogger/BloggerFINE: [Web-Security] hasUserDataPermission perm: (javax.security.jacc.WebUserDataPermission /Common/index.jsf GET)FINE: [Web-Security] hasUserDataPermission isGranted: truePlease help me BalusC!!
Ankit Rathod
What exactly happens instead of the redirect? Isn't there some filter blocking/changing the request?
BalusC
No BalusC,There are no filters. The same form when i submit to j_security_check works great. But for HttpServletRequest#login it doens't.I just have normal constraints(in login config) in web.xml and configured it to have form based login. Besides that, there are no filters or anything. Am i doing right? Can HttpServletRequest#login actually replace j_security_check? If so, then why is it not working? Any idea?
Ankit Rathod
Please have a look at the log above and specially this line in 2nd comment :Checking Web Permission with Principals : nullOnce i get princpial with nitesh,Admin why does it again become null?I am just guessing that may be HttpServletRequest#login is only for a particular request? and not for complete session. That's why once the principal becomes nitesh,Admin and then when i redirect the principals are found to be null and so it throws me to login page again.
Ankit Rathod
+1  A: 

i am not sure but i think this issue is the subject of

https://glassfish.dev.java.net/issues/show_bug.cgi?id=11340

rahul_d_m
if you are using glassfish you can try com.sun.appserv.security.ProgrammaticLogin to do the login process(available in security.jar in <GF-DOMAIN-DIR>/modules directory)
rahul_d_m