users@glassfish.java.net

Re: URL Redirects Not Working on v2.1 b60e

From: Jan Luehe <Jan.Luehe_at_Sun.COM>
Date: Fri, 13 Feb 2009 09:29:20 -0800

Hi Burak,

On 02/13/09 00:30, glassfish_at_javadesktop.org wrote:
> Hi, Jan
> In order to achive cookieless security, I deliberately disabled cookies and enabled URL rewriting. Now, Glassfish includes jsessionid to the URL but it doesn't include the redirect url when it sends the user to login.
Yes, this is a bug, and I have a fix for it (in
FormAuthenticator#forwardToLoginPage),
which is to pass the login page URI to encodeRedirectURL before issuing
a redirect
to it:

Index: FormAuthenticator.java
===================================================================
--- FormAuthenticator.java (revision 24764)
+++ FormAuthenticator.java (working copy)
@@ -444,8 +444,10 @@
                 disp.forward(request.getRequest(), response.getResponse());
                 response.finishResponse();
             } else {
- ((HttpServletResponse)
response.getResponse()).sendRedirect(
- sc.getContextPath() + config.getLoginPage());
+ HttpServletResponse hres = (HttpServletResponse)
+ response.getResponse();
+ hres.sendRedirect(hres.encodeRedirectURL(
+ sc.getContextPath() + config.getLoginPage()));
             }
         } catch (Throwable t) {
             log.log(Level.WARNING,


But I'm not sure how this would help, because you have to append the
jsessionid
to the j_security_check action submitted from your login page in order
to be able
to resume the session ...


Jan
> So is there a way to include the redirect URL into the URL too? I don't know but do I have to enable cookies to achive security?
> [Message sent by forum member 'bsevindi' (bsevindi)]
>
> http://forums.java.net/jive/thread.jspa?messageID=331746
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>