Skip to main content

Login using realm security

7 replies [Last post]
pradyut
Offline
Joined: 2004-07-13

Hi,
I have recently made a site in which i m using realm security
The site is here : -
http://void.co.nr

But as i have made a login form in the first (index.html) it can correctly take the emailID and the password.... and throw the user to error page (error logging in )

But it cannot login the user....as i have put the code in the index.jsp page....
<%

java.security.Principal obj = request.getUserPrincipal();
if(obj!=null) {
String user = obj.getName();
response.sendRedirect("secureUser(forwardslash)pageU.jsp");
out.print(user); }
%>

But when i login using the link above the form(Click here to Login ) then it successfully redirects to the loginA.jsp page and i m able to login.

May its due to the config in web.xml: -
/LoginA.jsp
/loginError.html

i have tried using
/index.jsp

but still its not able to login....

but i have to do something with login form in index.jsp such that it can login users....

Thanks
Pradyut
http://pradyut.tk
New Delhi, India

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
nitkal
Offline
Joined: 2008-10-22

If your objective is to redirect the user to the login page before accessing a secure page (like pageU.jsp), making use of the Glassfish realms, you could use form based authentication after making the pageU.jsp secure:


FORM

/LoginA.jsp /loginError.html

You would be required to have the following in LoginA.jsp:



If the page-to-be-redirected after successful authentication (say pageU.jsp) is made a welcome file and a secured, accessing the application, redirects the user to LoginA.jsp, and if successful, redirects user to pageU.jsp, and if not, to loginError.html.

Would this help your use-case?

Nithya

arveds
Offline
Joined: 2008-12-31

Hi, Nitkal

I myself agree - I pointed this out in my post of the 7th. As you've made clear, it's important that the form itself is pure HTML, not JSF. I don't know why people insist on doing things differently, but there you go. :-)

As I understand it this is not the way that the OP wishes to do it, hence my last post about programmatic authentication.

Arved

arveds
Offline
Joined: 2008-12-31

I'm not entirely sure what the problem is. The way this usually works is that users going to a secure application would have a start page, in your case presumably 'secureUser/pageU.jsp'. Your welcome file list would include that.

Since pageU.jsp would require authentication, the container will catch a request for that page, and present LoginA.jsp instead. Once you've logged in the container will take you to the requested page, namely pageU.jsp. At that point request.getUserPrincipal() will be the authenticated principal. There is no need to do anything in a web page to redirect or what have you.

Arved Sandstrom

pradyut
Offline
Joined: 2004-07-13

Hi,
Thanks for the reply....
i want the realm to login without having the user to request for any secure web page...
which i m not able to do in the main page. i.e(index.jsp)

Thanks
Pradyut

arveds
Offline
Joined: 2008-12-31

Hi, Pradyut

As you've doubtless gathered the request.getUserPrincipal() method will return null if you're not authenticated. Since the page you want to start at is not under a security constraint it will not initiate a container-based authentication mechanism.

What you could do is what tens of thousands (hundreds of thousands???) of developers already have done, which is to do a programmatic login in a backing bean for the index.jsp page. Your index.jsp simply gathers the username and password, and calls *your* login method (so no use of j_username, j_password, j_security_check). On success your login method does the redirection.

All J2EE application servers use different APIs for programmatic login, so you'll want to find the documentation specific to your server.

NOTE: a lot of JSF developers do this because they wish to use JSF components for the login and login error pages, and if you use those then it's not possible to use standard container-managed FORM authentication (unless you use Tomahawk-style "forceId" attributes on j_username/j_password). That's because the JSF component IDs get modified (e.g. "mainform:j_username"). You _can_ use JSF pages for your login pages with container-managed auth, but the form itself needs to be straight HTML.

pradyut
Offline
Joined: 2004-07-13

thanks again....
I m using the glassfish server and really like the realm security management...
I guess i have to do some redirections for using realm security....
another important question.....
how can i use cookies in realm security??? if at all its possible...
thanks

by the way do you know of any API for programmatic login... i may not use it but lets see if they are comfortable with...

Pradyut
http://pradyut.tk
New Delhi, India

arveds
Offline
Joined: 2008-12-31

Hi, Pradyut

The Glassfish programmatic login is done through the com.sun.appserv.security.ProgrammaticLogin class. It's fairly straightforward.

Let's say I have a realm named "test" set up through the admin console. I've set up users and groups, have the principal -> role mapping done in sun-web.xml, and have my roles defined in web.xml. As per usual.

Once you've gathered your username and password from a JSF login page, the following will do the login:

ProgrammaticLogin pm = new ProgrammaticLogin();
boolean loginSuccess = pm.login(username, password, "test", request, response, false);

"test" is my realm that I set up. "request" and "response" are the HttpServletRequest and HttpServletResponse that you get from FacesContext. This is so when you call isUserInRole() or getUserPrincipal() that they actually work, rather than returning null or false...there are other forms of login() that don't involve passing the request and response, but then it's either non-trivial (or impossible) to get this information.

That's all there is to it really. If login didn't succeed you can set a FacesMessage and go right back to your login page; if it was successful that's when you do your redirect to the real start page for your app. For example, something like

return loginSuccess ? "start" : null;

from the doLogin() JSF action (if using declared navigation in faces-config.xml, with a in your navigation case). Or the usual response.sendRedirect() + facesCtx.responseComplete().

So as you see the realm .... file, LDAP, JDBC, whatever ... is most definitely involved in programmatic authentication.

You also need to grant permission for the programmatic security. For example, in order to get this little demo to work (I was curious, and I haven't tried it on Glassfish til now), I put

grant codeBase "file:/Users/arveds/Development/NetBeansProjects/TestJSF2/build/web/-" {
permission com.sun.appserv.security.ProgrammaticLoginPermission
"login";
};

in my $GLASSFISH_INSTALL_LOC/domains/$CURRENT_DOMAIN/config/server.policy file. There's probably a more elegant way to do this, but I don't know it offhand.

As for cookies and realm security, I'm not sure what you mean.

Arved