Hello all
I've been using JBoss and Tomcat for a while and have started to move what we have in
JBoss/Tomcat to a Tomcat only environment. It
is all OK so far. We have a login mehanism wich uses the JDBCRealm stuff.
Usernames/pwds/roles are stored in the database. I have
protected a set of pages and it all works, I can login via j_security_check and get to
my protected pages. So that is fine and I understand
the mechanism.
However, we have a servlet which was called immediately after the j_security_check
which performed some site-specific stuff (eg setting a
cookie, logging the login attempt, etc). This was the code that we used in JBoss, this
was called instead of j_security_check upon login.
This worked in JBOss but not in Tomcat.
String path="/context/ourLoginServlet";
response.setStatus(302,"Found");
response.setHeader("Location", path);
String rdString = new
String("/j_security_check?j_username="+request.getParameter("j_username")
+"&j_password="+request.getParameter("j_password")+"");
RequestDispatcher rd = application.getRequestDispatcher(rdString);
rd.include(request,response);
if (!response.isCommitted())
{
response.reset();
}
You can see what is happening, we create a RequestDispatcher object which called
j_security_check which is included in the reponse. I
know this is not ideal because as a GET request, it puts the username/pwd in the
access log. So, I'd like to know why this fails in Tomcat.
Given that Tomcat was our servlet container in JBOss, it may be be some config thing.
I'd also like to do it better. Essentially, I could do it by changing that the page
that Tomcat redirects to after a successful login. I could set
that page to "ourLoginServlet". Is there anyway of doing that transparently? I saw an
email in the archives that gave this "<%
session.setAttribute("tomcat.auth.originalLocation", "/ourLoginServlet"); %>". I
thought I could put that in my login.jsp page and that after
j_secutiy_check, we'd get our login servlet called. However, this doesn't seem to
change the first page you get sent to after
j_security_check. Any idea why not or what the setting should be ?
I also tried a filter on j_secutiy_check but for some reason, POSTS to
j_security_check don't show up in teh access log so I can't set up a
filter on it. Any idea what ?
Thanks so much for any help or comments.
Chris
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
