Matt RaibleMatt Raible is a Java Champion and Developer Advocate at Okta.

The JHipster Mini-Book The JHipster Mini-Book is a guide to getting started with hip technologies today: Angular, Bootstrap, and Spring Boot. All of these frameworks are wrapped up in an easy-to-use project called JHipster.

This book shows you how to build an app with JHipster, and guides you through the plethora of tools, techniques and options you can use. Furthermore, it explains the UI and API building blocks so you understand the underpinnings of your great application.

For book updates, follow @jhipster-book on Twitter.


Over 10 years ago, I wrote my first blog post. Since then, I've authored books, had kids, traveled the world, found Trish and blogged about it all.

Form-based auth - getting the original URL

Lance suggested a while back that I try Roller's BreadCrumbFilter to get the originally requested URL for form-based authentication. The idea is that if you can get this URL, you can use it to login again on your form-login-error page. So I added to my security project and mapped it to /*. The value I'm hoping to grab is a URL to, since that is where I route users when the hit the welcome page. I found that this filter never gives me, but that request.getHeader("referer"); gives it to me just fine - but only in IE. Yeck. I guess Craig was right when he said that you can't reliably get the original URL. I guess you can always just hard-code the action in your form-error-page to go to your main menu. That is, if your app server doesn't support the same page thing.

Posted in General at Dec 06 2002, 09:46:18 AM MST 3 Comments

Did you try mapping the filter to *.do ? If someone is hitting the welcome page they aren't specifying anything and that is likely why /* fails. Depending on the server calling will not trigger a /* mapping (because there is no slash). Resin (and Tomcat) are like that, whereas WLS 6.1 appears to do a response.sendRedirect( ) since I actually *see* this in my address bar - which I do not with the aforementioned servers. So *.do probably will fail to... argh.

Posted by Lance on December 08, 2002 at 09:52 AM MST #

I am doing exactly the same thing using form based authentication. A security filter redirects requests without a critical field "state" to the, since the "state" must be specified in the welcome page. The login-error-page drove me nuts. Considering 2 senarios, a user hit back to return to the login page, and refresh it, a user tries to access a protected resource which requires higher role privilege. Both will be redirected to the login page. Can't find a way to tell the different between them.

Posted by Unknown on December 11, 2003 at 09:41 PM MST #

You might try using Tomcat 5.0.16 - if you do request.getRequestURL() on the login.jsp page - it'll actually give you the URL for the protected resource that the user is trying to get to.

Posted by Matt Raible on December 11, 2003 at 09:49 PM MST #

Post a Comment:
  • HTML Syntax: Allowed