24

Is there a standard location for "j_security_check" so that i can take a look at it?

A search of my computer does not find the file, just references to it. So either its hidden for security reasons or is it not a file?

I have been locked out of an Application and this is the first place im taking a look at for solutions.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
Deepend
  • 4,057
  • 17
  • 60
  • 101

3 Answers3

29

It's part of the Servlet API and implemented by the servletcontainer. In your case, it's implemented by Tomcat. More specifically, the org.apache.catalina.authenticator.FormAuthenticator class.

227        // Is this the action request from the login page?
228        boolean loginAction =
229            requestURI.startsWith(contextPath) &&
230            requestURI.endsWith(Constants.FORM_ACTION);
231
232        // No -- Save this request and redirect to the form login page
233        if (!loginAction) {
234            session = request.getSessionInternal(true);
235            if (log.isDebugEnabled())
236                log.debug("Save request in session '" + session.getIdInternal() + "'");
237            try {
238                saveRequest(request, session);
239            } catch (IOException ioe) {
240                log.debug("Request body too big to save during authentication");
241                response.sendError(HttpServletResponse.SC_FORBIDDEN,
242                        sm.getString("authenticator.requestBodyTooBig"));
243                return (false);
244            }
245            forwardToLoginPage(request, response, config);
246            return (false);
247        }
248
249        // Yes -- Validate the specified credentials and redirect
250        // to the error page if they are not correct
251        Realm realm = context.getRealm();
252        if (characterEncoding != null) {
253            request.setCharacterEncoding(characterEncoding);
254        }
255        String username = request.getParameter(Constants.FORM_USERNAME);
256        String password = request.getParameter(Constants.FORM_PASSWORD);
257        if (log.isDebugEnabled())
258            log.debug("Authenticating username '" + username + "'");
259        principal = realm.authenticate(username, password);
260        if (principal == null) {
261            forwardToErrorPage(request, response, config);
262            return (false);
263        }

The Constants.FORM_ACTION is /j_security_check.

As to your concrete problem of being locked out, just make sure that you supply the proper username and password. The user database is normally configured by a realm.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
6

This is not a file, this is an alias for container based authentification:

http://docs.oracle.com/javaee/1.4/tutorial/doc/Security5.html

Emmanuel Bourg
  • 9,601
  • 3
  • 48
  • 76
-1

You don't need to do anything with j_security_check. The problem is elsewhere:

For example:

Connection to the DB (or in your case the tomcat-users.xml file if you're using Tomcat), encryption of the password, something in the web.xml, something in the context.xml . For Glassfish, it could also be the pool and realm or something in the glassfish-web.xml .

Check the logs carefully. For GF you need to enable Finest like so: (a) Go to this page: http://localhost:4848/common/monitor/serverInstMonitoringServerPage.jsf . (b) Set this property to Finest: javax.enterprise.system.core.security

Yster
  • 3,147
  • 5
  • 32
  • 48