How to programmatically login to j_security_check
Solution 1
The following code works for me in the JSP file:
String url = "j_security_check?j_username=" + username + "&j_password=" + password;
String redirectUrl = response.encodeRedirectURL(url);
response.sendRedirect(redirectUrl);
Solution 2
In my views, login using j_security_check
url by appending username
and password
seems to be a big security venerability.
Instead you can perform following steps:
- create a separate JSP which has a form
- this form POST on
j_security_check
url with username and password - you can dynamically include this JSP
- this JSP can have onload (JS) function which can POST this form.
In this way it will be secure.
Solution 3
You stated you want to login programatically. I would avoid using j_security_check if this is your goal. j_security_check is used with Form-Based Authentication (Check out this Oracle resource on Securing Web Applications - Form Authentication is covered about half way down: http://docs.oracle.com/cd/E24329_01/web.1211/e24485/thin_client.htm).
I would suggest you take a look at that resource and dive into some of the alternatives, but another approach altogether is to use the Java Authentication and Authorization Service (JAAS) API (Here is a tutorial link: http://docs.oracle.com/javase/6/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html) JAAS and a callback handler is the non-abstraction way of programmaticly addressing authentication (and authorization). Many robust frameworks are based on this JAVA API, so it might be worth taking a look if you are still struggling with this issue.
Ozgur Dogus
.net programmer since 2006 c# and asp .net and web technologies in general are main interests. Also I am trying to make a progress on objective c and other mobile technologies.
Updated on January 23, 2020Comments
-
Ozgur Dogus over 4 years
I have a JSP web application which uses
j_security_check
. Is it possible to login a specific user toj_security_check
programmatically via a JSP page if I know the userid and password? I tried to pass the variables as URL parameters this way...response.sendRedirect(www.mydomain.com/j_security_check?j_username=someUserName&j_password=somePassword )
...but it doesn't work. Is there any way to do it?
Edit: here is my login page which works fine right now. I trimmed some of the code for security reasons.
<form name="signon" method="post" action="/j_security_check"> <table width="100%" cellpadding="4" cellspacing="0"> <tr> <td valign="top" colspan="4"> <h2><%= UI.tr(null, "login_details") %> </h2> </td> </tr> <tr> <td valign="top" width="150px"> <%= UI.tr(null, "login_id") %> </td> <td valign="top" width="150px"> <%= UI.tr(null, "login_pass") %> </td> <td valign="top" width="150px"> <%= UI.tr(null, "login_token_or_captcha") %> </td> <td width="100%"> </td> </tr> <tr> <% if (logins == null) { %> <td> <input type="hidden" name="j_uri" value="/index.jsp"> <input type="text" id="username" name="j_username" size="16" style="width: 150px;" autocomplete="off" <%= username == null ? "" : "disabled value='" + username + "'" %> onblur="return checkCaptcha();"> </td> <% } else { %> <td> <select name="j_username" style="width: 150px;"> <% for (Login login : logins) { %> <option><%= login.getUsername() %> </option> <% } %> </select> </td> <% } %> <td><input type="password" name="j_password" size="16" style="width: 150px;"> </td> <td><input type="text" id="mypw" name="mypw" size="16" autocomplete="off" style="width: 150px;"></td> <td><input class="submit" type="submit" name="submit" value="<%= UI.tr(null, "login_submit") %>"></td> </tr> <tr> <td valign="top" colspan="4"> <%-- <% if("registry.nic.hn".equals(request.getServerName())) { %> <!-- GARTH - put whatever you want here for .HN --> <% } else { %> --%> <h2><%= UI.tr(null, "login_news") %> </h2> <div><%= HTMLFormat.addBreaks(SiteConf.getSiteConf().getNews()) %> </div> <%-- <% } %> --%> </td> </tr>