Login/Register
j_security_check called directly
Asked Answered
Solved jsfauthenticationj-security-check
M

1

5

I have a web application, and I want the home page to include a login form, among other data. If the user choose to log in, he should be redirected to another page (e.g. login_success.jsp). My question is: may I use j_security_check mechanism for logging in or the only way is to use a managed bean to take care of the login?

my home page looks like this:

....
    <form action="j_security_check" method="POST" name="loginForm">
        <h:panelGrid columns="2">
            <h:outputLabel id="userNameLabel" for="j_username" value="#{label.home_username}:" />
            <h:inputText id="j_username" autocomplete="off" />
            <h:outputLabel id="passwordLabel" for="j_password" value="#{label.home_password}:" />
            <h:inputSecret id="j_password" autocomplete="off" />

            <h:panelGroup>
                <h:commandButton type="submit" value="Login" />
                <h:commandButton type="reset" value="Clear" />
            </h:panelGroup>
        </h:panelGrid>
    </form>
...

if I press login button, I get -> HTTP Status 400 - Invalid direct reference to form login page. and it's obvious, j_security_check mechanism doesn't know where to "redirect", since I didn't request a protected resource before.

Mucus answered 25/5, 2013 at 16:44 Comment(1)
Sorry about that: there are actually two links there, separated by a comma. But somehow, they're rendered as a single link. Here: https://mcmap.net/q/17517/-performing-user-authentication-in-java-ee-jsf-using-j_security_check/1530938.Davinadavine
V
9

HTTP Status 400 - Invalid direct reference to form login page.

This means that you manually opened <form-login-page> by a direct request while that's disallowed.

and it's obvious, j_security_check mechanism doesn't know where to "redirect", since I didn't request a protected resource before.

This is not what the error was trying to tell you.

Put the login page in /WEB-INF folder to prevent possible direct access. Then, to trigger login, just request the restricted resource directly. The container will automatically present the login page if necessary.

Or, if you don't have restricted-only resources (i.e. the login only shows more options/features, like in a discussion forum), then don't use a <form-login-page>, but instead a JSF form with a backing bean which invokes HttpServletRequest#login().

See also:

Voorhees answered 27/5, 2013 at 12:18 Comment(1)
but if the form page is my home page and the form is included in the form page I can't put it in the /WEB-INF to prevent possible direct access, I want to have direct accessNilgai

© 2022 - 2024 — McMap. All rights reserved.