Tomcat valve JAAS : form error page displayed first before response reaches back to Tomcat valve‏

[Kim Ming Yap <ya...@hotmail.com>]

Hi,I'm building a website using form based authentication integrating with JAAS for user based authentication. I don't have issue when a successful credential is authenticated. Rather I'm having difficulty understanding the flow of JAAS back to the client should the form based authentication failed.SOFTWARE:1. Apache Tomee plus 1.7.12. Java 83. Tomcat JAAS RealmOBJECTIVE:Custom error captured in JAAS login module to propagate to error pageBASIC UNDERSTANDING:The Tomcat JAAS layer is not integrated with the web container layer. Hence the former does not have access to request, session etc.SOLUTION:Using ThreadLocal which capture the custom error message in JAAS layer to be used when the flow reaches back to the custom valve on the way back to the browser.PROBELM:Understanding of basic request/response flow involving Tomcat and JAASa. request --> valve --> JAAS --> Filter --> Servlet/JSP    b. response <-- valve (**) <-- JAAS <-- Filter <-- Servlet/JSP(refer to above clause b)ThreadLocal in the JAAS layer managed to capture the custom error message and it i managed to print it after the getNext() method of the custom valve. Thought of adding this custom error as an attribute in the session object.However I noticed that the error page is already displayed before i could add this cusom error (immediately after the getNext method).Due to that the ready custom error message cannot be usedSAMPLE CODES:1. web.xml    <login-config>    <auth-method>FORM</auth-method>    <form-login-config>      <form-login-page>/login.jsp</form-login-page>      <form-error-page>/login-redirect-error.jsp?error=true</form-error-page>    </form-login-config>    </login-config>    2. Custom valve and defined in META-INF/context.xml    public class SecurityValve extends ValveBase {	public void invoke(Request request, Response response) throws IOException, ServletException {		getNext().invoke(request, response);           system.out.println("after getNext()"); --> break point (BP)	}    }1. Did a break point on SecurityValve (indicated at BP)     2. On forms, i purposely enter wrong credential and submit         3. Break point stops at BP     4. login-redirect-error.jsp displayed already    5. Since it stop at break point BP in SecurityValve, the response back to client flow has not reached the browser. Yet the login-redirect-error.jsp is already displayedQUESTIONS:   How can the login-redirect-error.jsp be displayed on the browser when the response flowing back to client stop at break point BP? The flow back to the client is not fully done yet.I would really appreciate any help.Thanks.