After the user enters bad username/password I handle this by redirecting to error page. In my case error page is the same as login but I pass parameters wrongCredentials so I can render special block in my jsf page that displays wrong username/password message. If user now enters a correct credentials instead being redirected to source page he is redirected to */j_security_check with GET and gets 404 not found.
What I found interesting is that when wrong credentials are entered the url in browser doesn't change to */login.xhtml?wrongCredentials=true but instead to */j_security_check but the rendered page is login with correct error message regarding bad credentials.
Here is my web.xml
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/login.xhtml?wrongCredentials=true</form-error-page>
</form-login-config>
</login-config>
Also here is login page form:
<form id="login_form" name="login_form" action="j_security_check" method="post">
<table>
<tbody>
<tr>
<td><input type="text" id="username" name="j_username" placeholder="Username"/></td>
</tr>
<tr>
<td><input type="password" id="password" name="j_password" placeholder="Password"/></td>
</tr>
<tr>
<td><input type="submit" value="login" class="btnBlue"/></td>
</tr>
</tbody>
</table>
<p:panel rendered="${param['wrongCredentials'] != null}" styleClass="wrongPasswordPanel">
<h:outputText value="Wrong username or password" styleClass="wrongPasswordTxt"/>
</p:panel>
<p:panel styleClass="forgotPasswordPanel">
<h:outputText value="Forgot password? Please, contact " styleClass="wrongPasswordTxt"/><a href="mailto:support@support.com" class="wrongPasswordTxt">support@support.com</a>
</p:panel>
I have tried to implement a custom Filter to intercept */j_security_check on GET request but filter is loaded after j_security_check.
I am running WildFly10.
Aucun commentaire:
Enregistrer un commentaire