Filter on j_security_check not working. Glassfish V3 Netbeans 6.8

Question

I am trying to execute a filter on j_security_check to perform some post login action like changing the redirect url etc. But problem is my filter never gets executed. Any patchwork that i can apply? Any help would be appreciated. I am literally fed up of container managed security.

Thanks in advance.

Answer 1

One portable solution.

1. Register a global filter on pattern /* ;

2. In doFilter() try to get a custom object from session (i.e. user workspace);

3. if object is null put a new object into session and perform post-login logic.

   public void doFilter(
        ServletRequest request,
        ServletResponse response,
        FilterChain chain
     ) throws IOException, ServletException
     {
        Principal principal = request.getUserPrincipal();
   
        if(principal != null) {
           UserWorkspace uwks = (UserWorkspace) getSession(request).getAttribute("com.foo.myproject.userworkspace");
   
           if (uwks == null) {
             uwks = new UserWorkspace(principal);
             getSession(request).setAttribute("com.foo.myproject.userworkspace", uwks);
   
             //
             // post-login code here
             //
   
           }
        }
   
        chain.doFilter(request, response);
     }
   

Answer 2

You cannot programmatically hook on /j_security_check. This is a security restriction.

Your best bet is to determine the first-time login by manually checking the user principal in the HttpSession and put it there if absent and then do your thing. I've posted a similar answer before here. Here's an extract of the filter code, you just need to map the filter on the desired url-pattern covering the secured pages.

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
    HttpServletRequest httpRequest = (HttpServletRequest) request;
    UserPrincipal user = httpRequest.getUserPrincipal();
    HttpSession session = httpRequest.getSession();
    if (user != null && session.getAttribute("user") == null) {
        session.setAttribute("user", user);

        // First-time login. You can do your intercepting thing here.
    }
    chain.doFilter(request, response);
}

Answer 3

IMHO you shouldn't try to intercept the container's authentication system ; in your case, the redirect URL can be declaratively set in web.xml.

If you want to perform some post-authentication actions, I suggest setting up a dummy post-auth servlet/jsp that does what you want and then redirects to the requested resource. That post-auth servlet can then be properly configured as the post-login page.