As part of an example Java web app I’m working on I wanted to have AJAX login. That is, username/password fields on the main page with a login button which when pressed would keep the same page displayed but update any controls etc. which are enabled by having someone logged in. I could have hand coded something fairly simply (and probably introduced some security holes in the process), but wanted to use the standard Java Web App security which proved a little more difficult as its default behaviour assumes a separate login page.
I asked a question on stackoverflow, without any particularly helpfull answers, but with a bit of googling found a way.
Question on stack overflow:
http://stackoverflow.com/questions/1821178/java-ajax-webapp-security
Heres a summary of what I did, I would go into it in more detail, but I’m a bad blogger.
Some of this is just setting up of Spring security most of it is
based on an old blog post I found here
http://www.jroller.com/sjivan/entry/ajax_based_login_using_aceci
Added a load of libraries to web-inflib
Added a applicationContext-Security.xml to web-inf – this holds the different users and roles and will be replaced by database implentation.
Added a load of context paths , filtermappings and listneners to web.xml
Used jquery to provide ajax functionality to direct a login form to the “/j_spring_security_check” URL. This URL has a filter set up which uses a “RedirectResponseWrapper” to stop the response being redirected and returns either a success or error message depending on whether the logon was OK.
There is then a “LoggedInStatusServlet” that just provideds a yes or no response to show whether the use is logged in – just to prove that the theory of the ajax login is working in practice – a bit of javascript uses this response to display an indication of whether or not you’re logged in.
There’s also a Spring Forum post here http://forum.springsource.org/showthread.php?t=80549 that discusses a similar approach.
Since doing this I’ve noticed that Java EE6 has a request.login method to provide programatic control – I need to investigate further, but that might provide a more standard way of doing this.
If you’re really interested you can download a zip of my eclipse project here http://www.mrdw.co.uk/blog/resources/AjaxLoginExample.zip
Mike's Notes