Hi,
Yes, I can remember doing the same kind of trick in the past (when using
JSP based frameworks).
Anyway, at that time it was more a workaround for me because of the poorly
design navigation flow.
So no really sure if it's a good idea to promote this approach.
Usually after login, it's way easier is to send back a redirect (HTTP 302
or similar).
This should also be the same redirect option when hitting a protected
resource (send a 401 challenge back to the user).
Did I miss something?
JLouis
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com
On Wed, May 20, 2015 at 12:29 PM, arjan tijms <arjan.tijms_at_gmail.com> wrote:
> Hi,
>
> A while ago I noticed that pretty much every security framework out there,
> including the Servlet security implementations, have utility code to
> copy/restore a request.
>
> This is needed for the situation where a user does an unauthenticated
> request to a protected page, then gets to see an authentication page, and
> after posting that back and having successfully authenticated the original
> request is restored.
>
> Due to the way HttpServletRequest has been designed (or grown perhaps),
> it's not 100% trivial to do this. Not difficult, but tedious. See for
> example my implementation here:
>
>
> https://github.com/omnifaces/omnisecurity/tree/master/src/main/java/org/omnifaces/security/jaspic/request
>
> What do you think of standardizing such utility code for this JSR? I can
> of course donate my implementation (it's not really that different from any
> of the ~10 other implementations out there).
>
> To make the work less tedious I've also created an issue for this at the
> Servlet spec, but didn't got any response yet. See
> https://java.net/jira/browse/SERVLET_SPEC-60
>
> Thoughts?
>
> Kind regards,
> Arjan Tijms
>
>