« OS X and Writing/Cod... | Main | AppFuse and Resume... »
20021206 Friday December 06, 2002

Form-based auth - getting the original URL Lance suggested a while back that I try Roller's BreadCrumbFilter to get the originally requested URL for form-based authentication. The idea is that if you can get this URL, you can use it to login again on your form-login-error page. So I added BreadCrumbFilter.java to my security project and mapped it to /*. The value I'm hoping to grab is a URL to welcome.do, since that is where I route users when the hit the welcome page. I found that this filter never gives me welcome.do, but that request.getHeader("referer"); gives it to me just fine - but only in IE. Yeck. I guess Craig was right when he said that you can't reliably get the original URL. I guess you can always just hard-code the action in your form-error-page to go to your main menu. That is, if your app server doesn't support the same page thing. Posted in General at Dec 06 2002, 09:46:18 AM MST 3 Comments

Comments:

Did you try mapping the filter to *.do ? If someone is hitting the welcome page they aren't specifying anything and that is likely why /* fails. Depending on the server calling http://www.clowns.com will not trigger a /* mapping (because there is no slash). Resin (and Tomcat) are like that, whereas WLS 6.1 appears to do a response.sendRedirect( welcome.do ) since I actually *see* this in my address bar - which I do not with the aforementioned servers. So *.do probably will fail to... argh.

Posted by Lance on December 08, 2002 at 09:52 AM MST #

I am doing exactly the same thing using form based authentication. A security filter redirects requests without a critical field "state" to the welcome.do, since the "state" must be specified in the welcome page. The login-error-page drove me nuts. Considering 2 senarios, a user hit back to return to the login page, and refresh it, a user tries to access a protected resource which requires higher role privilege. Both will be redirected to the login page. Can't find a way to tell the different between them.

Posted by Unknown on December 11, 2003 at 09:41 PM MST #

You might try using Tomcat 5.0.16 - if you do request.getRequestURL() on the login.jsp page - it'll actually give you the URL for the protected resource that the user is trying to get to.

Posted by Matt Raible on December 11, 2003 at 09:49 PM MST #

Post a Comment:
  • HTML Syntax: Allowed
Click me to subscribe
Matt Raible is a Web Architecture Consultant specializing in open source frameworks.
« May 2012
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
       
Today

Recent Entries

Tag Cloud

abbie appfuse denver flex grails gwt hibernate jack java jsf linkedin maven myfaces rails roller skiing softwaresummit spring springmvc struts2 tapestry travel vacation webframeworks wicket