How to change the original requested page used by j_security_check?_问答_开发者

How to change the original requested page used by j_security_check?

开发者 https://www.devze.com 2023-03-31 23:29 出处：网络

When an unauthenticated user request some resources, he will be redirected to a login page but j_security_check will keep the original requested resource. If the user login successfully, it will be re

When an unauthenticated user request some resources, he will be redirected to a login page but j_security_check will keep the original requested resource. If the user login successfully, it will be redirected to that res开发者_JAVA技巧ource.

The problem is that sometimes the requested resource is dynamic, so it might not exists. I have a lot of places in my application with this behavior, so instead of validate this in each "resource handler" (controller), we are trying to centralize all this logic in a filter that intercept the j_security_check forward to the login page.

Now, how can we get the original requested resource kept by the Form-Based Authentication mechanism? It's vendor dependent?

Another alternative:

If I can run a filter BEFORE the j_security_check I can't modify the URL but I can send a redirect to the user with a "valid URL". But how can I execute a filter before the j_security_check?

If pages are dynamic and "may not exist", but yet a link could have been valid at some point in time, and your application barfs on that old request, then something is broken in your application. If "dynamic pages" are really just pattern matches using path variables, then your code should be responsive to those situations, as each page request should be handled appropriately.

Example: I have a page to display a user's public profile. Maybe the user unregisters from my site. Now the "page" shouldn't "exist". In Spring, for example, I would use a PathVariable and make my handler responsive to the existence or non-existence of the user:

@RequestMapping(value="/display/{userkey}")
public String displayUser (@PathVariable("userkey") String userkey) {
    User user = someDAO.getUser(userkey);
    if(user != null) {
        // do something
    } else {
        // do something else
    }
    return "theView";
}

In this case, I would return some meaningful message to the browser, or maybe redirect to another location. This seems to be less a security issue and more one of application design.

Here is what you need to do:

Create a filter for j_security_check in the web.xml
In your Filter, before the chain.doFilter(...), change the content of the cookie named WASReqURL to redirect to a servlet which will be the post successful login.