Login Hack

Return to resource list

The following lesson contains a simple code example
that is a "write around" for the infamous
"Invalid direct reference to form login page"
problem with Realm based security in Tomcat.

Many programmers want a login form as part of their
home page and/or want to prevent people from bookmarking
the real login page.

The data flow of the following example is simple.
loginA.jsp acts as the "home page" containing a login form, and submits to
dummy.jsp which sets two session variables (name & password).
The file dummy.jsp then redirects automatically to a
secured resource (AddClientForm.jsp). This is intercepted by
the real login page login.jsp which reads the session variables
and submits itself to j_security_check. On login failure, a check is done
so that login.jsp does not resubmit itself automatically.

It's a brutal hack, but it works well enough. Let me know what you think.

The following contains the relevant sections of the associated files:

web.xml


loginA.jsp (the home page or pseudo login form)


dummy.jsp


login.jsp (the actual login page)