Hi All,
After quite a bit of looking around, we resorted to using a plain login JSP page with a ServletFilter on j_security_check to have container managed authentication in our JSF based web-site using IBM Websphere 5.1
So, basically every other page but the login page is JSF and just the login page is simple JSP with j_username & j_password.
Recently, I started looking in the direction of trying to directly/programmatically invoke j_security_check using URLConnection object. There are various discussions on this on google groups:
1. http://groups-beta.google.com/group/comp.lang.java.programmer/browse_thread/thread/1a2768da559e43ae/243982a33f02ab80?q=URLConnection%20j_security_check&_done=/groups?q=URLConnection%20j_security_check&hl=en&lr=&sa=N&tab=wg&&_doneTitle=Back%20to%20Search&d=&
2. http://groups-beta.google.com/group/weblogic.developer.interest.security/browse_thread/thread/a375370efec24566/b81dc8320bcbc304?q=URLConnection+j_security_check&_done=%2Fgroups%3Fq%3DURLConnection+j_security_check%26hl%3Den%26lr%3D%26sa%3DN%26tab%3Dwg%26&_doneTitle=Back+to+Search&&d#b81dc8320bcbc304
My current code snippet is as follows:
public String submit(){
String retVal = "";
String j_username = getUserId().getValue().toString();
String j_password = getPassword().getValue().toString();
ExternalContext externalContext = getFacesContext().getExternalContext();
String jsessionid = ((HttpSession)externalContext.getSession(false)).getId();
// Only if sanity checks and validations on j_username & j_password pass, proceed further.
ApplicationParameter.getLogger().debug("Current jsessionid=" + jsessionid);
ApplicationParameter.getLogger().debug("submitting login details (userId: " + j_username + " & password: " + j_password + ") to /j_security_check ...");
try {
URL jSecurityCheckURL = new URL("http://localhost:9080/raweb/j_security_check;jsessionid=0000" + jsessionid + ":-1&j_username=" + j_username + "&j_password" + j_password);
HttpURLConnection jSecurityCheckURLConnection = (HttpURLConnection)jSecurityCheckURL.openConnection();
jSecurityCheckURLConnection.setRequestMethod("POST");
jSecurityCheckURLConnection.setInstanceFollowRedirects(false);
// jSecurityCheckURLConnection.addRequestProperty("j_username", j_username);
// jSecurityCheckURLConnection.addRequestProperty("j_password", j_password);
// jSecurityCheckURLConnection.setRequestProperty("j_username", j_username);
// jSecurityCheckURLConnection.setRequestProperty("j_password", j_password);
jSecurityCheckURLConnection.connect();
ApplicationParameter.getLogger().debug("j_security_check returned: " + jSecurityCheckURLConnection.getResponseCode() + ": " + jSecurityCheckURLConnection.getResponseCode());
if (null != externalContext) {
String remoteUser = externalContext.getRemoteUser();
ApplicationParameter.getLogger().debug("Authenticated username: " + remoteUser);
HttpServletRequest httpServletRequest = (HttpServletRequest)externalContext.getRequest();
Principal principal = httpServletRequest.getUserPrincipal();
if (null != principal) {
String userName = principal.getName();
ApplicationParameter.getLogger().debug("Authenticated username: " + userName);
}
} else {
ApplicationParameter.getLogger().debug("Unable to obtain Faces ExternalContext and hence the remote user details.");
}
} catch (MalformedURLException ex) {
ApplicationParameter.getLogger().error(ex);
retVal = "";
} catch (IOException ex) {
ApplicationParameter.getLogger().error(ex);
retVal = "";
}
return retVal;
}
The above code yields the following output:
[DEBUG]: (Newlogin.submit:81) - Current jsessionid=H1QMk3TuyW_W8nSPnOtW-xi
[DEBUG]: (Newlogin.submit:82) - submitting login details (userId: skhanna & password: password) to /j_security_check ...
[DEBUG]: (Newlogin.submit:93) - j_security_check returned: 302: 302
[DEBUG]: (Newlogin.submit:97) - Authenticated username: null
Anyone have any idea why j_security_check returns 302 and also the authenticated username seems to be null indicating that the authentication did not go through!
-Sandeep Khanna