Discussions

Web tier: servlets, JSP, Web frameworks: Bypassing the popup login form in a J2EE compliant server...

  1. We want to pass the userID and password in on a post request so that the login request form is not requested by the Web server. Is this possible?

    Normally when you place security on a servlet or JSP the Web Server will request the browser to popup a form to authenticate the user.

    Our users have already been authenticated in a visual basic application. We want to avoid having them re-authenticate.

    Thanks,
    Anthony
  2. Anthony-

    This is possible.

    There are different types of authentication that you can set up for a Web Application. The default authentication type, BASIC, is the popup window that you are describing. However, you can use FORM authentication to pass the user name and password over a form.

    Take a look at this URL that talks about the web.xml file. Make sure you select FORM for login-config. You will have to specify a link or a page that has the username and password as part of the POST parameters.

    http://edocs.bea.com/wls/docs60/programming/webappdeployment.html#1006585

    Tyler
  3. Thanks.
    I was aware of the form version. But I still thought the default implementation of the browser was to popup the form one designates and then ask the user to sign in. However, maybe I can add the j_userid and j_password to the original post request.

    The other solution I am considering is coding my own login_module using JAAS. I am not making any rash decisions on direction, I just wanted to give you an initial response to your suggestion.

    I want to be clear that the user has already been authenticated in a visual basic system. So we want to pass the user/password into the java system without the web server popping any other form be it basic or customized. Thanks for your help. And I will update this thread when one of these directions solves the problem.

    Thanks again,
    Anthony
  4. Well, if that's all you want to do, why don't you pass in the user name and password as part of POST data and have none of your JSPs set up for any authentication.

    In the JSP, you can take the parameters and do an InitialContext() passing the parameters in as part of the Properties object. This would set your Identity on the server without having to do a lot of authenticating. Now, when you call an EJB, the EJB will be able to see the Identity that you specified.

    This is kind of klugy, however, since your security identity won't be associated with the broswer -- rather, it would be part of the request.

    Tyler
  5. Try using the form based authentication and to login the user without entering his/her User ID/Password details on the form, try using the ServletAuthentication class and check out the weak method of this class....

    hope this helps
    -Rahul
  6. Thanks.
    I was aware of the form version. But I still thought the default behavior of the web server was to ask the browser to pop up the form one designated in the web.xml and then ask the user to sign in. However, maybe I can add the j_userid and j_password to the original post request.

    The other solution I am considering is coding my own login_module using JAAS. I am not making any rash decisions on direction, I just wanted to give you an initial response to your suggestion.

    I want to be clear that the user has already been authenticated in a visual basic system. So we want to pass the user/password into the java system without the web server popping any other form to the user -- be it basic or customized. Thanks for your input and any other ideas are clearly welcome. I will update this thread when one of these directions solves the problem.

    Thanks again,
    Anthony