ansaurus

Question

Filter on j_security_check not working. Glassfish V3 Netbeans 6.8

Answer 1

A:

IMHO you shouldn't try to intercept the container's authentication system ; in your case, the redirect URL can be declaratively set in web.xml.

If you want to perform some post-authentication actions, I suggest setting up a dummy post-auth servlet/jsp that does what you want and then redirects to the requested resource. That post-auth servlet can then be properly configured as the post-login page.

Olivier Croisier 2010-03-22 15:24:20

Hi Oliver,As far as i know we can't set redirect URL in web.xml. I have different different roles. Eg. Admin and General. Can you set success url after login for these both roles in web.xml for same login page? So if Admin logs in he should be redirected to /Admin/home.jsp and for General it should be /General/home.jsp and so on. In my opinion this is not at all possible. That's why i was trying to keep a filter on j_security_check. Still, if i am missing something please let me know.

Ankit Rathod 2010-03-22 15:54:35

Answer 2

+1 A:

You cannot programmatically hook on /j_security_check. This is a security restriction.

Your best bet is to determine the first-time login by manually checking the user principal in the HttpSession and put it there if absent and then do your thing. I've posted a similar answer before here. Here's an extract of the filter code, you just need to map the filter on the desired url-pattern covering the secured pages.

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
    HttpServletRequest httpRequest = (HttpServletRequest) request;
    UserPrincipal user = httpRequest.getUserPrincipal();
    HttpSession session = httpRequest.getSession();
    if (user != null && session.getAttribute("user") == null) {
        session.setAttribute("user", user);

        // First-time login. You can do your intercepting thing here.
    }
    chain.doFilter(request, response);
}

BalusC 2010-03-22 15:32:09

Hi BalusC,Actually i wanted to redirect the user to proper location based on his/her roles. That's why i wanted to keep a filter to see what all variables are set by j_security_check in session/request for url redirection. I finally found the answer to it. It's kind of patch work but it works more importantly :)See this link and please comment on what do you think about my approach :-http://stackoverflow.com/questions/2478770/servlet-security-question-about-j-security-check-j-username-and-j-password/2493525#2493525

Ankit Rathod 2010-03-22 15:57:24

You can just do it in the filter. Cast `response` back to `HttpServletResponse` and call `sendRedirect()`. Scriptlets are bad practice.

BalusC 2010-03-22 16:03:18

Ya sure! i will take that into account. Instead of filter then, i can keep a simple servlet too. Anywys, important thing is now i can rest. I literally searched through each and every links on google to see if i can set some property here and there and it should start working. But sadly i didnt find any such link. Then, i posted on stackoverflow and here too i got no response. So, i was greatly disappointed, then today i started looking at Spring security to see what it can offer but finally this idea struck me and now i can rest and let the container handle everything.

Ankit Rathod 2010-03-22 16:08:52

This kind of filtering logic doesn't belong in a servlet. A filter is the perfect place for it.

BalusC 2010-03-22 16:10:06

ansaurus

tags:

views:

answers:

Filter on j_security_check not working. Glassfish V3 Netbeans 6.8

related questions