You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jetspeed-user@portals.apache.org by yao cuihong <ya...@gmail.com> on 2006/01/11 08:54:04 UTC

Login portlet

Hi there.

I have a default page for the role "guest", so that all anonymous users get
to see that page. There is only a single custom Portlet named LoginPortlet
for  login in the default page. It collects the login info, and posts to the
same portlet.I want to authenticate the user in the processAction() method
of the portlet.But after authenticate the user sucessfully, How to transffer
the result to jetspeed 2? How does j2 know that the user has been
authenticated?

Thanks

Re: Login portlet

Posted by yao cuihong <ya...@gmail.com>.

>
> Ah -- brilliant! Thank you!


   I found the hidden login page : WEB-INF\templates\login\html\login.jsp.
This page contains hidden items with the names j_username and j_password,
all as what you say.

   Thank you.

Re: Login portlet

Posted by Aaron Evans <aa...@yahoo.ca>.

yao cuihong <yaocuihong <at> gmail.com> writes:

> 
> Hi there.
> 
> I have a default page for the role "guest", so that all anonymous users get
> to see that page. There is only a single custom Portlet named LoginPortlet
> for  login in the default page. It collects the login info, and posts to the
> same portlet.I want to authenticate the user in the processAction() method
> of the portlet.But after authenticate the user sucessfully, How to transffer
> the result to jetspeed 2? How does j2 know that the user has been
> authenticated?
> 
> Thanks
> 

Jetspeeed uses a JAAS realm for authentication.  It is configured in jetspeed's
context xml (although it can be moved up to the container level).

J2EE containers that use realm authentication require that the request 
parameters j_username and j_password be posted to /j_security_check for 
authentication. 

If you look at jetspeed's web.xml, you will see a standard web application
security constraint and login config:

<!-- Protect LogInRedirectory.jsp.  This will require a login when called -->
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Login</web-resource-name>
      <url-pattern>/login/redirector</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>*</role-name>
    </auth-constraint>
  </security-constraint>

  <!-- Login configuration uses form-based authentication -->
  <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>Jetspeed</realm-name>
    <form-login-config>
      <form-login-page>/login/login</form-login-page>
      <form-error-page>/login/error</form-error-page>
    </form-login-config>
  </login-config> 

I believe that what happens is that the login portlet posts to the
/login/redirector protected resource. Because the user is not authenticated,
they get redirected to /login/login.  

I believe that the /login/login URI is a blank page that contains a hidden 
form that takes the user name and password parameter values submitted from 
the login portlet and puts them in hidden fields with the names j_username 
and j_password.  It also has some kind of onload JS or meta refresh which 
then causes the hidden form to post to /j_security_check.

If authentication is not successful, the user will be sent to /login/error.
If it is successful, the user will be sent to /login/redirector and they will
now be allowed access to it because they have been authenticated.  This URI
no doubt redirects to the portal root (applying profiling rules).

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org