filter, filter-mapping and j_security_check
Hi, in my webapp I have protected a page upload.jsp to only admins using the FORM method of authentication, and that works well, I can log in as an admin and get to the page. However on the upload page I have a hidden form field that needs the username and a user id number put in them so I know who is uploading what.
To get the username and get their id from a database I have tried using a LoginFilter to get the request before it goes to j_security_check so that I can get the j_username variable, get info from a database and pass them both on in session variables so that I can get the relevant info on the upload page.
The problem is, the filter doesnt seem to be working, I have put print statements in so when I log in it should print things out, but it doesnt print a thing out, so I assume it's bypassing my filter?
This is what I have in my web.xml file
[CODE]
<servlet>
<servlet-name>Upload</servlet-name>
<servlet-class>Upload</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Upload</servlet-name>
<url-pattern>/upload.jsp</url-pattern>
</servlet-mapping>
<filter>
<filter-name>Login</filter-name>
<filter-class>LoginFilter</filter-class>
<description>Performs pre-login and post-login operation</description>
</filter>
<filter-mapping>
<filter-name>Login</filter-name>
<url-pattern>/j_security_check</url-pattern>
</filter-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Upload Page</web-resource-name>
<description>This page is only accessible to site admins</description>
<url-pattern>/upload.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description>These roles are allowed access</description>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Upload Page</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>This page is only accessible to site admins</description>
<role-name>admin</role-name>
</security-role>
[/CODE]
And this is the actual filter with the debug statements
[CODE]
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
import java.util.*;
public class LoginFilter implements Filter
{
protected FilterConfig filterConfig;
public void init (FilterConfig filter) throws ServletException
{
this.filterConfig = filter;
}
public void destroy ()
{
this.filterConfig = null;
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
{
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse res = (HttpServletResponse)response;
HttpSession session = req.getSession();
String username = req.getParameter("j_username");
session.setAttribute("username", new String(username));
System.out.println("*****Debug*****");
System.out.println("Pre-login actions");
System.out.println("Username - " + username);
chain.doFilter(request, response);
System.out.println("Filter Done");
System.out.println("Post-login actions");
}
}[/CODE]
Can anyone see what's going wrong?
