-
1. Re: Form based authentication - redirect
petertje Feb 25, 2003 7:30 AM (in response to silvester)> ... since I made a direct request to the login page
> (sort of).
Just don't. Direct the user to his personal menu page, and let Jetty decide whether the user has to login first. This is how web/servlet security is designed: when a user requests a secure page, he is first authenticated by the servlet container and than redirected _automatically_ to the page he originally requested.
Hth,
Peter. -
2. Re: Form based authentication - redirect
jhalmes Feb 25, 2003 1:49 PM (in response to silvester)The answer above is the correct answer. However if you are backed in a corner I have a couple workarounds.
If you referene the login page directly (like if a user bookmarks it which is unpreventable by us poor developers) an error of type 400. (note that I'm using struts, hence the *.do in my paths, feel free to subtitute a servlet...)
So you could put a handler in web.xml like this:
<error-page>
<error-code>400</error-code>
/error.do
</error-page>
Now when that error occurs a request for /error.do will result. I then run code like this:
if( null == request.getSession( false ) )
{
// redirect to the context root
return mapping.findForward("login");
}
else
{
// redirect to welcome page
return mapping.findForward("home");
}
The result is that if the user references the login page directly and logs in, but error 400 is thrown, they end up being redirect to the welcome page anyway and it looks like they logged in correctly.
I have another trick if this doesn't work but it involves setting state in the session and using a jsp login page to check for the path that was used to arrive at the home page. But I think the error 400 trick works in almost all cases.
I hope the J2EE purists don't stone me for this.
-Jasen -
3. Re: Form based authentication - redirect
silvester Feb 25, 2003 7:43 PM (in response to silvester)I'm sure you've got a point when saying I shouldn't do this since web/servlet security wasn't designed like this, however...
I want pages to display different information for users in different roles. E.g. a teacher may see things like announcements for meetings, while students get invited to yet another party.
I did come up with a workaround for the direct request to the login page problem. It seems Jetty is checking a session variable called org.mortbay.jetty.URI to see where it should redirect the user after a successfull form based login (from FormAuthenticator.java).
So, if I set this variable from my pages I actually do get forwarded to a correct page. Is this possibly a solution to the problem where users bookmark the login page ?
The problem I'm now facing is that in unprotected pages getUserPrincipal returns null, while returning the correct userid in protected pages....
Any thoughts ? -
4. Re: Form based authentication - redirect
silvester Feb 25, 2003 7:46 PM (in response to silvester)Just checking to see if this message does turn up.....