Retry login with form based container managed security

StackOverflow https://stackoverflow.com/questions/3778096

Question

I've got a web application, deployed on GlassFish 3.0.1, which is using container managed security. It's a simple, standard form based implementation using j_security_check against a JDBCRealm. Everything to do with securing the application is fine (and I can't believe I've rolled my own security systems in the past).

What I can't seem to figure out though is how to deal with the case where a user enters the wrong password. My "loginFailed.xhtml" page is shown correctly but I would like to then just direct the user back to the login page (via a link or automatically) to try again.

When I've tried this the link back to the login.xhtml page works fine but the security system appears to have forgotten where it's trying to send the user after they have authenticated. When the user does correctly authenticate an exception is raised because the system tries to load a page that doesn't exist (some mangled version of the login page URL).

I suppose I could direct the user back to the home page and let them try again from there but I've not seen an application with that much of a kludge for long time. All ideas and help gratefully received...

Was it helpful?

Solution

I'm assuming your just using j_security_check on a plain html page, correct? You can actually do a programmatic login now using the HttpServletRequest#login method.

Here is an example. 

public String login() {

    FacesContext context = FacesContext.getCurrentInstance();
    HttpServletRequest request = (HttpServletRequest) context.getExternalContext().getRequest();

    try {
        request.login(this.userName, this.password);
        return "index?faces-redirect=true";
    } catch (Exception e) {
        return "error?faces-redirect=true";
    }

So you can send them where ever you want after they login. This is just a standard JSF backing bean with username and password member variables.

The h:commandButton uses this login method as the jsf action.

OTHER TIPS

Indeed, another solution will be to use javascript if you dont want to manage the login in your java.

login.html (simple html form)

<form name="loginForm" method="POST" action="j_security_check">
    <input id="username" type="text" />
    <input id="password" type="password" />
    <input type="submit"value="Login" />
</form>

Then for the error.html just add some javascript to the body onload 

function redirect() {
window.location("http://yournewurl")
}
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top