4 Replies Latest reply on Feb 25, 2003 7:46 PM by Silvester

    Form based authentication - redirect

    Silvester Newbie

      Hi there,

      We've got a web application which on each page displays a login box if the
      user isn't authenticated, or otherwise his personal menu, etc...

      The problem is, that after succesfully authenticating a user
      (j_security_check target), jetty doesn't know where to redirect the user
      to since I made a direct request to the login page (sort of).

      Shouldn't there be an additional property for j_security_check, like
      j_onsuccess_redirect_to ?

      Does anyone know of a workaround for this problem ? I've read about using
      a custom AuthenticationInterceptor, only I can't find where this
      interceptor is configured ?

      Please help.
      Silvester

        • 1. Re: Form based authentication - redirect
          Peter Doornbosch Apprentice

          > ... since I made a direct request to the login page
          > (sort of).

          Just don't. Direct the user to his personal menu page, and let Jetty decide whether the user has to login first. This is how web/servlet security is designed: when a user requests a secure page, he is first authenticated by the servlet container and than redirected _automatically_ to the page he originally requested.

          Hth,
          Peter.

          • 2. Re: Form based authentication - redirect
            Jasen Halmes Newbie

            The answer above is the correct answer. However if you are backed in a corner I have a couple workarounds.

            If you referene the login page directly (like if a user bookmarks it which is unpreventable by us poor developers) an error of type 400. (note that I'm using struts, hence the *.do in my paths, feel free to subtitute a servlet...)

            So you could put a handler in web.xml like this:
            <error-page>
            <error-code>400</error-code>
            /error.do
            </error-page>

            Now when that error occurs a request for /error.do will result. I then run code like this:

            if( null == request.getSession( false ) )
            {
            // redirect to the context root
            return mapping.findForward("login");
            }
            else
            {
            // redirect to welcome page
            return mapping.findForward("home");
            }

            The result is that if the user references the login page directly and logs in, but error 400 is thrown, they end up being redirect to the welcome page anyway and it looks like they logged in correctly.

            I have another trick if this doesn't work but it involves setting state in the session and using a jsp login page to check for the path that was used to arrive at the home page. But I think the error 400 trick works in almost all cases.

            I hope the J2EE purists don't stone me for this.
            -Jasen

            • 3. Re: Form based authentication - redirect
              Silvester Newbie

              I'm sure you've got a point when saying I shouldn't do this since web/servlet security wasn't designed like this, however...

              I want pages to display different information for users in different roles. E.g. a teacher may see things like announcements for meetings, while students get invited to yet another party.

              I did come up with a workaround for the direct request to the login page problem. It seems Jetty is checking a session variable called org.mortbay.jetty.URI to see where it should redirect the user after a successfull form based login (from FormAuthenticator.java).

              So, if I set this variable from my pages I actually do get forwarded to a correct page. Is this possibly a solution to the problem where users bookmark the login page ?

              The problem I'm now facing is that in unprotected pages getUserPrincipal returns null, while returning the correct userid in protected pages....

              Any thoughts ?

              • 4. Re: Form based authentication - redirect
                Silvester Newbie

                Just checking to see if this message does turn up.....