Discussions

Web tier: servlets, JSP, Web frameworks: FORM authentication without j_username/j_password?

  1. I'm about to implement a specific user authentication mechanism with FORM based authentication. So far, i have custom authentication provider for WLS 8.1 server and custom LoginModule to handle incoming POST data using TextInputCallback objects.

    As far as I know, only way to get this incoming POST data to LoginModule is posting it through j_security_check action. However, my incoming POST data does not contain j_username or j_password fields, e.g:

    <form action="j_security_check" method="POST">
    <input type="hidden" name="A" value="1">
    <input type="hidden" name="B" value="2">
    </form>

    And no j_username or j_password fields - this is specific to protocol I have to implement! The thing is that this POST data won't be accessible in my LoginModule because i get redirected to login-error-page immediately.

    Is there any way to get this post data to be accessible in my LoginModule object - with or without using j_security_check?
  2. Hi,

    j_security_check servlet cannot be used if you dont use j_username/j_password fields.

    Write a new servlet (eg MySecurityCheckServlet) and in doPost() method use this code fragment:

    int res = weblogic.servlet.security.ServletAuthentication.weak(userName, passwd, request);
    if (res == weblogic.servlet.security.ServletAuthentication.AUTHENTICATED) {
       // Autentication successfull
    } else {
       // Autentication failed
    }

    Bye, Stefano
  3. add some configuration in your applicationContext-security.xml as below: the java code is in this class AuthenticationProcessingFilter.java you can see the hard code j_username in the file