Hi Ivo,
On 11/25/08 04:01 AM, glassfish_at_javadesktop.org wrote:
> Hello forum;
>
> Using Glassfish v2-ur2. Created a Servlet Filter to listen to all requests (pattern /*). The Webapplication has some secured resources (requires role xy), Form-Based Auth is configuread with a login page.
> <br/><br/>
> I am not logged in;
> when i call the secured resource over <b>http</b> the servlet filter catches the request (the request targets the login page).<br/>
> when i call the same resource over <b>https</b> the server sends my to the login page <b>without passing by ServletFilter</b>.
> <br/><br/>
> Is there a reason for this? Can this be configured, or is this a bug in Glassfish?
> <br/><br/>
> Thanks for any hints...
>
The behaviour you are seeing is expected:
If the (unauthenticated) request that is trying to access the
protected resource is over HTTP, the container issues a redirect to
the login page, which gives your filter an opportunity to intercept the
request for the login page.
If the request is over HTTPS, the container issues a RequestDispatch
forward to the login page. See
https://glassfish.dev.java.net/issues/show_bug.cgi?id=3374
for the motivation behind this.
This means that in the case of HTTPS, your filter will be bypassed,
unless you
configure your filter to also intercept FORWARD dispatches, and not just
REQUEST
(the default), like this:
<filter-mapping>
<filter-name>YourFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
Hope this helps.
Thanks,
Jan
> Ivo
> [Message sent by forum member 'jdrive' (jdrive)]
>
> http://forums.java.net/jive/thread.jspa?messageID=318605
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>