[jboss-user] [Security & JAAS/JBoss] - Re: Users bookmarking login.jsp causes problems

[jkva]

"kathy90031" wrote : Yes, our URL pattern is the same, but I'm not sure you were understanding me correctly.  Our pages ARE secure.
  | 
  | If someone bookmarks http://localhost/WebApp/index.jsp
  | 
  | then they are directed to the login page, after they login in (and are authenticated, they are directed to the home page.
  | 
  | If some booksmarks http://localhost/WebApp/login.jsp
  | 
  | they login in and recieve a BAD REQUEST error EVEN THOUGH they are authenticated.  In fact, if they try to go to index.jsp DIRECTLY from the bad request page; they get in.  
  | 
  | I looked at the jboss source code and saw what was happening.  Jboss looks up the request to forward to.  Since the users are coming from login.jsp; this variable returns NULL.  Therefore, Jboss throws the bad request error.
  | 
  | Is there a workaround I can configure instead of code?

You could try creating a valve to check if the user browses directly to the login page or if he uses the normal navigation. If he does, redirect him to a secure page. The j_security_check wil trigger and redirect the user to the login page.

A valve can be compared with a Servlet filter, but it runs outside the application and has access to otherwise forbidden resources, like Tomcat classes.

More here:
http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4169725#4169725

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4169725