users@glassfish.java.net

"j_security_check" does not work with URL rewriting

From: <glassfish_at_javadesktop.org>
Date: Mon, 04 Feb 2008 12:10:38 PST

I have an application with form based login, thus I am using "j_security_check".

When an unauthenticated user accesses an application resource that requires authentication, the user is forwarded (or redirected?! - does not matter in this case) to the login page specified in web.xml.

The source code of the servlet that generates the login form looks like this:

writer = response.getWriter();
writer.println("<html><body>"); //TODO head einfügen
writer.println("<form method=\"POST\" action=\"" + response.encodeURL("j_security_check") + "\">");
writer.println("<input type=\"text\" name=\"j_username\">");
writer.println("<input type=\"password\" name=\"j_password\">");
writer.println("<input type=\"submit\" value=\"Submit\">");
writer.println("</form>");
writer.println("</body></html>");

When the user accepts cookies, "j_security_check" works as intended. It authenticates the user and redirects to the requested application resource.
Nothing unusual so far.

BUT when using URL rewriting, "j_security_check" does not work. The user is not authenticated. Instead, he is redirected to the welcome-file listed in web.xml.

I know, the servlet spec says:
"Form based login and URL based session tracking can be problematic to implement.
Form based login should be used only when sessions are being maintained by
cookies or by SSL session information."

Nevertheless, my question is:
Is there a way to use "j_security_check" with URL rewriting using glassfish?
[Message sent by forum member 'zebhed' (zebhed)]

http://forums.java.net/jive/thread.jspa?messageID=257305