Custom authentication and extending the login.jsp element.

Fri Aug 31 11:35:54 EDT 2012

Paul, thanks.

That seems consistent with what I see, I just didn't want to have to package my entire authentication app into idp.war.  I am sure you'll understand the desire to keep things separated into components.

Can you tell me how one should "send control back to Shibboleth"?

I am uncertain of how login.jsp does this.  The j_security_check FROM action in login.jsp seems to disappear into the container and I have NOI idea what connects things back to Shibboleth.  I only know that after redirecting to login.jsp and collecting a UID, I am magically returned to my CustomAuthHandler servlet in a second call to the service method. 


-----Original Message-----
From: users-bounces at [mailto:users-bounces at] On Behalf Of Paul Hethmon
Sent: Friday, August 31, 2012 11:08 AM
To: Shib Users
Subject: Re: Custom authentication and extending the login.jsp element.

Just replace login.jsp with one of your own. Once you are in the login handler, you own the user experience and interface until you send control back to Shibboleth. But it is a web application, so your resources (pages,
etc) must be available in the context of the web application. The easiest is to include them in the war file.


On 8/31/12 11:02 AM, "PARDEE, MARTIN  (MARTIN)" <mlp at>

>Back in June I started integrating a custom login handler for 
>Shibboleth, which I have done.
>The custom handler uses a web service to launch a phone call to do 
>biometric authentication on a smart phone.
>In case I forgot to,  thanks to everyone who took the time to answer my 
>(sometimes naive) questions in the past.
>In order to extend this prototype to include multiple devices per user 
>(an iPhone, iPad, Android whatever) I need to ask the user for more 
>than just A user ID prior to proceeding with custom authentication.
>This has led me to the following dilemma:
>Once I enter my shibboleth Custom Auth Handler (a servlet in idp.war) I 
>carry on my conversation through login.jsp.
>Once inside login.jsp,  it appears that I have only one opportunity to 
>obtain user data:  j_username and j_password are all that this jsp allows.
>What I would really like to do is redirect to a JSP (other than
>login.jsp) in a different Webapp, which would allow me to develop a 
>user interface that I can extend in any way I need to.
>If I attempt to use request.getRequestDispatcher().include or .forward, 
>I get server side errors (presumably because I'm trying to invoke 
>things outside of the idp.war webapp.
>So my conclusion here is that the only way that I can make my user 
>interface any richer than login.jsp is to bring ALL of the resources 
>that I need for authentication support inside of idp.war. Somehow this 
>just seems wrong.
>It seems obvious that shibboleth was designed to "bridge" to external 
>authenticators. This being the case, there must be a mechanism in here 
>somewhere that will permit me to interact with the user in a richer way 
>than what is available in login.jsp.
>Would someone please help me understand what my options are here?
>Martin Pardee
>To unsubscribe from this list send an email to 
>users-unsubscribe at

To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list