How to programmatically login to j_security_check

Question

I have a JSP web application which uses j_security_check. Is it possible to login a specific user to j_security_check programmatically via a JSP page if I know the userid and password? I tried to pass the variables as URL parameters this way...

response.sendRedirect(www.mydomain.com/j_security_check?j_username=someUserName&j_password=somePassword )

...but it doesn't work. Is there any way to do it?

Edit: here is my login page which works fine right now. I trimmed some of the code for security reasons.

    <form name="signon" method="post" action="/j_security_check">
      <table width="100%" cellpadding="4" cellspacing="0">

        <tr>
          <td valign="top" colspan="4">
            <h2><%= UI.tr(null, "login_details") %>
            </h2>
          </td>
        </tr>

        <tr>
          <td valign="top" width="150px">
            <%= UI.tr(null, "login_id") %>
          </td>
          <td valign="top" width="150px">
            <%= UI.tr(null, "login_pass") %>
          </td>
          <td valign="top" width="150px">
            <%= UI.tr(null, "login_token_or_captcha") %>
          </td>
          <td width="100%">&nbsp;</td>
        </tr>


        <tr>

          <%
            if (logins == null) {
          %>
          <td>
            <input type="hidden" name="j_uri" value="/index.jsp">
            <input type="text" id="username" name="j_username" size="16" style="width: 150px;" autocomplete="off" <%= username == null ? "" : "disabled value='" + username + "'" %> onblur="return checkCaptcha();">
          </td>
          <%
          } else {
          %>
          <td>
            <select name="j_username" style="width: 150px;">
              <%
                for (Login login : logins) {
              %>
              <option><%= login.getUsername() %>
              </option>
              <%
                }
              %>
            </select>
          </td>
          <%
            }
          %>
          <td><input type="password" name="j_password" size="16" style="width: 150px;">                </td>
          <td><input type="text" id="mypw" name="mypw" size="16" autocomplete="off" style="width: 150px;"></td>
          <td><input class="submit" type="submit" name="submit" value="<%= UI.tr(null, "login_submit") %>"></td>
        </tr>




<tr>
  <td valign="top" colspan="4">
    <%-- <%
    if("registry.nic.hn".equals(request.getServerName())) {
    %>
    <!-- GARTH - put whatever you want here for .HN -->
    &nbsp;
    <% } else { %> --%>
        <h2><%= UI.tr(null, "login_news") %>
        </h2>
        <div><%= HTMLFormat.addBreaks(SiteConf.getSiteConf().getNews()) %>
        </div>
    <%-- <% } %>     --%>
  </td>
</tr>

Answer 1

In my views, login using j_security_check url by appending username and password seems to be a big security venerability.

Instead you can perform following steps:

• create a separate JSP which has a form
• this form POST on j_security_check url with username and password
• you can dynamically include this JSP
• this JSP can have onload (JS) function which can POST this form.

In this way it will be secure.

Answer 2

You stated you want to login programatically. I would avoid using j_security_check if this is your goal. j_security_check is used with Form-Based Authentication (Check out this Oracle resource on Securing Web Applications - Form Authentication is covered about half way down: http://docs.oracle.com/cd/E24329_01/web.1211/e24485/thin_client.htm).

I would suggest you take a look at that resource and dive into some of the alternatives, but another approach altogether is to use the Java Authentication and Authorization Service (JAAS) API (Here is a tutorial link: http://docs.oracle.com/javase/6/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html) JAAS and a callback handler is the non-abstraction way of programmaticly addressing authentication (and authorization). Many robust frameworks are based on this JAVA API, so it might be worth taking a look if you are still struggling with this issue.

Answer 3

The following code works for me in the JSP file:

String url = "j_security_check?j_username=" + username + "&j_password=" + password;
String redirectUrl = response.encodeRedirectURL(url);
response.sendRedirect(redirectUrl);

Answer 4

You can have the user enter the username and password on a jsp page and a servlet or use a facelets page and a bean as described here to login a user.