Win a copy of Think Java: How to Think Like a Computer Scientist this week in the Java in General forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

j_security_check 'next' page?

 
doug parker
Ranch Hand
Posts: 30
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
if you access a secured url and are not authenticated, you get sent to the specified login page. once you log in, it takes you where you wanted to go earlier. is there a way to specify the next page to go to after login with j_security_check? btw, i am using tomcat.

as an example, i have a login form on my welcome page and after the user authenticates he is sent to his personalized page. how do you do this with j_security_check ? I am seeing:
Invalid direct reference to form login page
 
Vishnu Prakash
Ranch Hand
Posts: 1026
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It's a nice link but I don't thiunk it answers the question.

When the user requests a secured resource, the container detects this. It the remembers the original page and sends you to the specified login page. After successfully logging in, the container looks at the original request and sends the user there. This should come as no surprise to you so far.

The part you're looking for is where the container remembers the original request and then uses this value later on once the user logs in. If you can find out how this works, you can piggy back the mechanism for your own use.

Unfortunately I don't have anything available to test this myself, but there are limitted places the information can be stored, so I would start like this:

Define your login page as login.jsp and register this with Tomcat. Add extra code in the JSP to look at all of the cookies and Session values and dump them to the page. As long as you find the information you're looking for, you can then look at ways to set this value yourself when a user logs in and does not already have a redirect location defined.

This is still not quite answer, since you may not be able to define at that stage exactly which 'user home' you should be sending to. One solution to detect the forward location, if this location is not set or not valid (due to security reasons) set it to some default secured location, such as /users/index.jsp

Once the user has logged in and finally gets to this page, you now have all the information you need to find their user name, find their home location and do a sendRedirect() to the correct location.

Hope this helps. I haven't done this before although I've considered it several times. Tell me how you get along.

Dave.
 
Vishnu Prakash
Ranch Hand
Posts: 1026
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

The part you're looking for is where the container remembers the original request and then uses this value later on once the user logs in. If you can find out how this works, you can piggy back the mechanism for your own use.


I think this can help you.

Live Http Headers.

I tried Form Based Authentication.

When a request is made for a constrained resource and if we had configured Form Based Authentication(or) any other type of Authentication we are supposed to get a 401 Unauthorized response from container first.

But surprisingly I got a 200 OK response


 
Bosun Bello
Ranch Hand
Posts: 1511
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The user has not logged in and they get a 200 OK as the response? AFAIK, if the user has not been authenticated, and makes a request for a constrained resource, and form-based authentication is being used, they should get a 401 unauthorized access response. May be the experts in the forum can shed some more light on it.
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE Ubuntu VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I do get a 401(SC_UNAUTHORIZED) status in my http header.
I'm using Tomcat 5.5.
You can configure Tomcat to dump the HTTP headers.
In server.xml, uncomment the following line :
<Valve className="org.apache.catalina.valves.RequestDumperValve"/>

You can check header information in logs/catalina.YYYY-MM-DD.log

I used BASIC authentication, and got :

 
Vishnu Prakash
Ranch Hand
Posts: 1026
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

I used BASIC authentication, and got :


Try with Form Based Authentication. You will get 200 Ok and NOT 401 UnAuthorized
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE Ubuntu VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

When a request is made for a constrained resource and if we had configured Form Based Authentication(or) any other type of Authentication we are supposed to get a 401 Unauthorized response from container first.


Sorry, being lazy I decided to try it on BASIC (you said 'or any other type')
Anyway, you're right. Form authentication returns 200.

Actually, the spec says, p94/p95:

SRV.12.5.3 Form Based Authentication
5. If authentication fails, the error page is returned using either a forward or a redirect, and the status code of the response is set to 200.

----------------

I searched a bit more deeply, in the HTTP RFCs.

14.47 WWW-Authenticate
The WWW-Authenticate response-header field MUST be included in 401 (Unauthorized) response messages. The field value consists of at least one challenge that indicates the authentication scheme(s) and parameters applicable to the Request-URI.

Possible values are described in "HTTP Authentication: Basic and Digest Access Authentication, RFC 2617"
For Basic, "Basic".
For Digest, "Digest".

There is no "Form" values for WWW-Authenticate,
so I guess that 401 is not a valid return error code when using Form Authentication. That's why another code is returned in this case.
[ December 26, 2005: Message edited by: Satou kurinosuke ]
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic