Geronimo webapp using ldap authentication

Question

I'm using Apache Geronimo as my application server. And authentication is happening over LDAP using Apache Directory Service. I don't have any previous experience with JavaEE software development, so please take it easy on me. Let me know if I need to explain anything in more detail.

Basically my login step is pretty similar to this example from the geronimo documentation: https://cwiki.apache.org/GMOxDOC22/ldap-sample-app-ldap-sample-application.html

There are three different behaviors that are happening when a user is trying to login:

1. When a user logs in with the correct username, which is in the correct ldap group, they are taken to a secure area of the site. And I'm not sure how to log the user out of the site until their session ends.

2. When a user logs in with a username/password that isn't in the LDAP directory, the user is redirected to /auth/logonError.html?param=test (this location is specified in in 'web.xml')

3. When a user logs in with a correct username/password that is not in the appropriate group, they are redirected to a "HTTP 403 forbidden page". There is an example of this page at the bottom of the ldap sample. The behavior should be the same as an unauthenticated user.

In all of these cases, there is no way for the user to retry the login process until the browser is restarted or a different browser is used. This is the big problem that I am having.

I would like the following scenarios to happen.

1. A properly authenticated user can logout, and try to login again.

2. A improperly authenticated user is redirected to the login screen, and told to try again.

What do I need to do to make this happen? Thanks for your help.

Answer 1

Doesn't this always happen. You run into a problem, struggle with it for a few days, finally post it to StackOverflow( or wherever ), and then you solve the problem relatively easily.

I made some changes to my application that fixed the problem. I'm posting what I did in case anyone stumbles across this from google with a similar problem.

First I created a servlet( called EndSessionServlet) that just did this:

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    endSession(request, response);
}

protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    endSession(request, response);
}

private void endSession(HttpServletRequest request, HttpServletResponse response) throws IOException{
    request.getSession().invalidate();
    response.sendRedirect(".");
}

And then I added this to my web.xml file:

<error-page>
 <error-code>403</error-code>
 <location>/EndSessionServlet</location>
</error-page>

And I also changed the form-error-page in web.xml:

<login-config>
<auth-method>FORM</auth-method>
<realm-name>This is not used for FORM login</realm-name>
<form-login-config>
  <form-login-page>/login.jsp</form-login-page>
  <form-error-page>/EndSessionServlet</form-error-page>
</form-login-config>
</login-config>

And I added a link in the section of the webpage that is authenticated to the EndSessionServlet. So the authenticated user can now logout properly.

For the three scenarios:

1. User is able to properly login, the user clicks the link to EndSessionServlet to logout
2. The User enters a valid username/password for ldap, but is not in the correct group. This user is sent to the 403 page normally, which now invalidates the session, and redirects to the logon page.
3. The user enters an invalid username/password and is sent to , which is also set to EndSessionServlet. This ends the session, and redirects them to the login page.

So all of the scenarios work fine now.