j_security_check not working when <Context path=“”>

Question

I use j_security_check as part of JAAS mechanism on a tomcat/tomEE server.

I currently have a context called "admin", that has the login process as a separate page (login.html), and that login page has a form similar to this: <form action="j_security_check" method="post"> with the proper inputs sending j_username & j_password properties.

It all works just fine there.

For clarification, My app is accessible at eg "www.myapp.com/admin"

Now I've been asked to add another webapp in the root of the domain, "www.myapp.com", so i add this in my conf/server.xml :

`<Context 
  docBase="ROOT" 
  path="" 
  reloadable="true" 
/>`

ROOT.war contains the webapp that needs to be in the www.myapp.com/ domain path.

What I'm trying to do is add the j_security_check mechanism to that context as well (it should be done in AJAX instead of a <form> for UX reasons).

Note that i've managed to have cookies on both contexts, but when I make a www.myapp.com/j_security_check call, I always get a 408 Request Timeout response.

How can I perform a j_security_check call from my app's root context path? (without an external login page please)

Answer 1

The problem is that you aren't following the rules of FORM-based authentication: you need to first request a protected resource, then let the container challenge you for username and password. Upon successful authentication, the container will redirect you to the originally-requested resource. This is covered in section 13.6.3 of the Java Servlet Specification Version 3.0 . If you want to handle drive-by logins, you 'll need to do that yourself. Servlet 3.0 has login methods on the HttpServletRequest object, you can just submit your AJAX requests to your own servlet instead of to j_security_check .

Note that <Context> configuration in your server.xml is going to cause endless chaos, and will deploy your ROOT web application twice on the same server. Just put ROOT.war into Tomcat's webapps/ directory and let it auto-deploy.