dev@glassfish.java.net

Re: Strange form authentification behaviour

From: Ron Monzillo <Ronald.Monzillo_at_Sun.COM>
Date: Wed, 12 Dec 2007 14:42:07 -0500

Roman Pokhodzhay wrote:
>
>
> Hello!
>
> I can’t retrieve currently logged in user from request (When I go to the
> login page directly and login via form base method). It happens because
> method /authenticate// /in
> /org.apache.catalina.authenticator//.//FormAuthenticator// /doesn’t call
> method /register//(/org.apache.catalina.authenticator.
> AuthenticatorBase/)/ which save principal in request.
>
> But FormAuthenticator do it only in case when resource is secure and if
> the re-submit happens of the original request URI.
>
>
>
> Is this standart behavior?
>
Roman,

I think this is a bug (which, fwiw, appears to have been around for some
time). Thanks for bringing it to our attention.

Have you tested, or can you suggest a fix?

It looks to me like maybe the following block from
FormAuthenticator.authenticate should be changed to call register, and
maybe it need not call saveRequest when the current request contains the
loginAction.

requestURI = savedRequestURL(session);
if (requestURI == null) {
     // requestURI will be null if the login form is submitted
     // directly, i.e., if there has not been any original request
     // that was stored away before the redirect to the login form was
     // issued. In this case, assume that the original request has been
     // for the context root, and have the welcome page mechanism take
     // care of it
     requestURI = hreq.getContextPath() + "/";
     saveRequest(requestURI, hreq.getMethod(), session);
}

Ron
>
>
> Sincerely,
>
> Roman Pokhodzhay
>