In my realm I'm intercepting the authentication of j_security_check, execute some other code and redirect to j_security afterwards. I managed to do that like so:
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException {
HttpServletRequest req = (HttpServletRequest) servletRequest;
HttpServletResponse res = (HttpServletResponse) servletResponse;
String username = req.getParameter("j_username");
String password = req.getParameter("j_password");
// other code
if (username == null) {
username = "";
}
if (password == null) {
password = "";
}
res.sendRedirect("j_security_check" + "?j_username=" + URLEncoder.encode(username, StandardCharsets.UTF_8)
+ "&j_password=" + URLEncoder.encode(password, StandardCharsets.UTF_8));
}
The problem I'm having with this approach is that when the user enters a wrong password, the password he entered can been seen in the url line of the browser.
To resolve this issue I tried to manually send a POST Request to j_security like so
URL url = new URL("http://localhost:8080" + req.getContextPath() + "/j_security_check");
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
connection.setRequestMethod("POST");
connection.setDoOutput(true);
connection.setRequestProperty("Content-Type","application/json");
connection.setRequestProperty("Accept", "application/json");
String payload = "{\n" +
" \"j_username\": " + "\"" + username + "\"" +
" \"j_password\": " + "\"" + password + "\"\n" +
"}";
byte[] out = payload.getBytes(StandardCharsets.UTF_8);
OutputStream stream = connection.getOutputStream();
stream.write(out);
System.out.println(connection.getResponseCode() + " " + connection.getResponseMessage());
connection.disconnect();
However, this approach doesn't seem to work either, as I always get back a 200 no matter if the password is correct or not and the user doesn't get logged in either.
Who's got an idea how I can fix this?
