log in tomcat with gwt - j_security_check limitation
nicolas....@googlemail.com
just solved a pb i found tough, so i bring my 2 cents to the community
about it.
my pb was:
I have a public gwt app that a not authenticated user sees when he
reaches my website
I have another gwt app secured with Tomcat form based security
mechanism.
i built a login component that is displayed on the welcome page of my
public gwt app.
I want my users to have the possibility to login immediately once the
reach my welcome page.
the pb is that Tomcat does lazy authentication with form based
security. thus, you must first hit a secured url, get an ugly login
page and then you are authenticated.
I have a workaround with gwt that works nicely.
say you have a login component that is included in the welcome page:
public class Login extends Composite implements ClickListener {
private static Button ok = new Button("login");
private static String sess; // used to stored jsessionid
public void onClick(Widget sender) {
if (sender == ok) {
makeLoginRequest();
}
}
// first step is to force tomcat to give your browser a jsessionid
// for that, access a protected area
private void makeLoginRequest() {
HTTPRequest.asyncGet("http://mysite/mywebapp/secure/gwtApp.html,
new SecurityResponseTextHandler());
}
private class SecurityResponseTextHandler implements
ResponseTextHandler {
public void onCompletion(String responseText) {
// parse the jsessionid cookie
sess=Cookies.getCookie("JSESSIONID");
makeLoginRequest2();
}
private void makeLoginRequest2() {
// next step is to tell j_security manager to associate the session
// with the credentials provided by the user
HTTPRequest.asyncGet(securityUrl+"?jsessionid=" + sess+"&j_username="
+ usrEmailTxtBox.getText()+ "&j_password=" +
passTxtBox.getText(),
new SecurityResponseTextHandler2());
}
private class SecurityResponseTextHandler2 implements
ResponseTextHandler {
public void onCompletion(String responseText) {
// the user should be authenticated now
// you can access the secured area now
Window.open(http://mysite/mywebapp/secure/gwtApp.html, "_self",
"resizable=yes,scrollbars=yes,status=yes");
}
}
}
the nice thing is you can detect bad password / email easily
and you can send the user credentials over https while accessing the
secured app over normal http, to keep the web server load low
give me some feedback (especially if you think my point is unclear).
cheers
nico
Vitrums
Actually I spent a couple of hours to figure out if I can distinguish which end-point url was requested within login.jsp code. And I wasn't successful to obtain any mean to do that. Wounder why this option is not supported by tomcat. Hence one probably may want to recompile tomcat with few additions in security code to do one of the following:
1. Whether allow web.xml to have more than one <login-config> element and make it parsed corresponding to this feature
or 2. To send an end-point href as a request header to login.jsp servlet and it can be used to build several brunches.
At this point I ran out of ideas. One more thing to mention, is that we still need login.jsp to render some handsome interface, because one may try to access your secured part directly rather than to ask for Welcome page. It became quite handy since browsers track a history and help user to choose a url in a combobox below the textbox while he types a domen. That's why we must whether redirect user to your sweet login module inside login.jsp, or to use login.jsp itself as a destination login url. Last means that we should copy/past the body of your Welcome.html and put the directory with compiled GWT resources into the root.
Will be greatful, if you give me a solution to maintain url-dependent context of login page within one tomcat webapp.