jsr375-experts@javaee-security-spec.java.net

[jsr375-experts] Re: Utility code for copy/restore request

From: arjan tijms <arjan.tijms_at_gmail.com>
Date: Wed, 20 May 2015 16:58:00 +0200

Hi,

On Wed, May 20, 2015 at 4:37 PM, Jean-Louis Monteiro <
jlmonteiro_at_tomitribe.com> wrote:

> So no really sure if it's a good idea to promote this approach.
> Usually after login, it's way easier is to send back a redirect (HTTP 302
> or similar).
>

A redirect is send anyway, but upon arriving at the redirected resource the
authentication module then restores things like POST parameters (most
importantly) and cookies.

At the very least this is roughly what Servlet's FORM does, and I noticed
that people often like to make small variations on that.


> Did I miss something?
>

Maybe that the redirect is there anyway? This is not like JSF's
navigation-without-redirect ;)

From 13.6.3 of the Servlet spec, step 6 and 7 of FORM authentication:

6. If authentication succeeds, the client is redirected to the resource
using the store
URL path.

7. When the redirected and authenticated request arrives at the container,
the
container restores the request and HTTP protocol method, and [...]

Kind regards,
Arjan Tijms











>
> JLouis
>
>
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>
> On Wed, May 20, 2015 at 12:29 PM, arjan tijms <arjan.tijms_at_gmail.com>
> wrote:
>
>> Hi,
>>
>> A while ago I noticed that pretty much every security framework out
>> there, including the Servlet security implementations, have utility code to
>> copy/restore a request.
>>
>> This is needed for the situation where a user does an unauthenticated
>> request to a protected page, then gets to see an authentication page, and
>> after posting that back and having successfully authenticated the original
>> request is restored.
>>
>> Due to the way HttpServletRequest has been designed (or grown perhaps),
>> it's not 100% trivial to do this. Not difficult, but tedious. See for
>> example my implementation here:
>>
>>
>> https://github.com/omnifaces/omnisecurity/tree/master/src/main/java/org/omnifaces/security/jaspic/request
>>
>> What do you think of standardizing such utility code for this JSR? I can
>> of course donate my implementation (it's not really that different from any
>> of the ~10 other implementations out there).
>>
>> To make the work less tedious I've also created an issue for this at the
>> Servlet spec, but didn't got any response yet. See
>> https://java.net/jira/browse/SERVLET_SPEC-60
>>
>> Thoughts?
>>
>> Kind regards,
>> Arjan Tijms
>>
>>
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.