I am designing a secure login with JSP. I intend to use Form Authorization to access an application on a Websphere. The basic idea is that when internal, authenticated users in the domain accesses a page, it will be as per normal. However, should external users try to access it, it will direct them to a login page, interface with Active Directory, and redirect them to the page upon correct authentication.

In order to make it work, I have tried to modify Web.xml to allow form authentication with the built-in “j_security_check” servlet. Upon logging in, it will greet the user “Hello, !” with a simple function <% request.getRemoteUser() %> or <% request.getUserPrincipal().getName() %>.

Based on the examples found here, I modified my Web.xml details as below:

<welcome-file-list>
    <welcome-file>/protected/index.jsp</welcome-file>
</welcome-file-list>

<security-constraint>
    <web-resource-collection>
        <url-pattern>/protected/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
        <role-name>users</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/error.jsp</form-error-page>
    </form-login-config>
</login-config>

<security-role>
    <description>Administrator</description>
    <role-name>admin</role-name>
</security-role>
<security-role>
    <description>Users</description>
    <role-name>users</role-name>
</security-role>

Under my login.jsp, I have a simple form that does the logging in.

<form action="j_security_check" method="post">
    Username: <input type="text" name="j_username">
    Password: <input type="password" name="j_password">
    <input type="submit" value="Login">
</form>

Under my index.jsp, it greets the users with a simple request.

<body>
    Hello, <% request.getRemoteUser(); %>
    Hello, <% request.getUserPrincipal().getName(); %>
</body>

I am facing three issues here. Importance ranked as it is.

1) Error 403
The redirecting and logging in page works. When I try to access index.jsp, I am redirected to login.jsp. When I enter an incorrect uid:pwd pair, I am greeted with error.jsp. When I log in correctly, I am redirected back to index.jsp but I am greeted with an Error 403: The Website requires you to log in. I am sure I have logged in because I am previously unable to access the built-in snoop page, but after logging in, I can. I suspect it is some settings in my Web.xml

2) Getting the user’s ID
Even upon disabling all protection in the Web.xml and accessing the index.jsp, I am greeted with a “Hello, null!” instead of “Hello, user!“. The codes as shown in the index.jsp should be correct as I copied it out from snoop sample codes found on the internet. request.getRemoteUser() does not work on my index.jsp but works on the snoop page. There must be something I am not calling before performing the request?

3) Security (not important, yet)
I think this j_security_check is under Spring Security. I am trying to encrypt both the sending and the receiving side as well as the transport channel. This is because for authentication, I believe the password must not be sent or stored in clear text. I found some information here which led me to attempt/try to protect this process of authentication.

I would appreciate some guidance and help with regards to the top 3 issues I am facing. It feels like I am close to getting the thing done but it’s so close, yet so far…