I use j_security_check as part of JAAS mechanism on a tomcat/tomEE server.
I currently have a context called "admin", that has the login process as a separate page (login.html), and that login page has a form similar to this: <form action="j_security_check" method="post"> with the proper inputs sending j_username & j_password properties.
It all works just fine there.
For clarification, My app is accessible at e.g. "www.myapp.com/admin"
Now I've been asked to add another webapp in the root of the domain, "www.myapp.com", so i add this in my conf/server.xml:
`<Context
docBase="ROOT"
path=""
reloadable="true"
/>`
ROOT.war contains the webapp that needs to be in the www.myapp.com/ domain path.
What I'm trying to do is add the j_security_check mechanism to that context as well (it should be done in AJAX instead of a <form> for UX reasons).
Note that i've managed to have cookies on both contexts, but when I make a www.myapp.com/j_security_check call, I always get a 408 Request Timeout response.
How can I perform a j_security_check call from my app's root context path? (without an external login page please)
The problem is that you aren't following the rules of FORM-based authentication: you need to first request a protected resource, then let the container challenge you for username and password. Upon successful authentication, the container will redirect you to the originally-requested resource. This is covered in section 13.6.3 of the Java Servlet Specification Version 3.0. If you want to handle drive-by logins, you 'll need to do that yourself. Servlet 3.0 has login methods on the HttpServletRequest object, you can just submit your AJAX requests to your own servlet instead of to j_security_check.
Note that <Context> configuration in your server.xml is going to cause endless chaos, and will deploy your ROOT web application twice on the same server. Just put ROOT.war into Tomcat's webapps/ directory and let it auto-deploy.