After a user passes the j_secrurity_check authentication, the page will be redirected to the index page without additional configuration beyond `web.xml` configuration.


The challenge is to run a callback on successful authentication.


A scenario where such a thing is necessary is when the index page is a jsp page and need to show the logged user information from the session without showing a loading page.

Screen Shot 2018-10-15 at 10.00.31


The session needs to be updated right after the successful authentication without a middle loading page.

Using filter is not a solution

j_security_check is a servlet which is responsible for the authentication. if you want to anchor any code in the servlet pipeline. the filter is your fella. However, this is not the case with running actions such as updating the session since when the filter catch the servlet call before executing the servlet, the authentication result is not valid which is too early to assume anything regarding the session. After the servlet is executed and the filter is called again, the response is frozen and cannot be changed. neither do the session of course.


Documented Solution – Weak

The documented solution is to call another servlet after loading the index page which will load the content to the session.

in case your index page is a jsp page and it depends on the session’s content, then when j_security_check redirects to the index page as configured in the web.xml, then the session will be empty and the content will be invalid.


configuring the successful page to be the action servlet will not work as it is not a client page.

My Undocumented Solution

1. Use a filter for j_security_check servlet in order to override the redirect cookie which contains the redirect url after successful authentication. for Liberty server, it is WASReqURL.

2. Before chain forward, override the redirection cookie header to point to the injected servlet.


3. When the authentication is positive, the redirect link will be read from the cookie and the servlet which loads the content to the session will be called.

public class FilterLogin implements Filter {
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain){
// inject cookie
Cookie c = getCookie(httpServletResponse, "WASReqURL");
if(c == null){
// inject the cookie if it is not there
c = new Cookie("WASReqURL", "");
String newUrl = "/my_action_servlet";
// update the cookie value with the new url
// continue to the j_security_check
chain.doFilter(request, response);
view raw hosted with ❤ by GitHub