I have a web application, and I want the home page to include a login form, among other data. If the user choose to log in, he should be redirected to another page (e.g. login_success.jsp). My question is: may I use j_security_check mechanism for logging in or the only way is to use a managed bean to take care of the login?
my home page looks like this:
....
<form action="j_security_check" method="POST" name="loginForm">
<h:panelGrid columns="2">
<h:outputLabel id="userNameLabel" for="j_username" value="#{label.home_username}:" />
<h:inputText id="j_username" autocomplete="off" />
<h:outputLabel id="passwordLabel" for="j_password" value="#{label.home_password}:" />
<h:inputSecret id="j_password" autocomplete="off" />
<h:panelGroup>
<h:commandButton type="submit" value="Login" />
<h:commandButton type="reset" value="Clear" />
</h:panelGroup>
</h:panelGrid>
</form>
...
if I press login button, I get -> HTTP Status 400 - Invalid direct reference to form login page. and it's obvious, j_security_check mechanism doesn't know where to "redirect", since I didn't request a protected resource before.
HTTP Status 400 - Invalid direct reference to form login page.
This means that you manually opened <form-login-page>
by a direct request while that's disallowed.
and it's obvious, j_security_check mechanism doesn't know where to "redirect", since I didn't request a protected resource before.
This is not what the error was trying to tell you.
Put the login page in /WEB-INF
folder to prevent possible direct access. Then, to trigger login, just request the restricted resource directly. The container will automatically present the login page if necessary.
Or, if you don't have restricted-only resources (i.e. the login only shows more options/features, like in a discussion forum), then don't use a <form-login-page>
, but instead a JSF form with a backing bean which invokes HttpServletRequest#login()
.