Skip to main content

Acegi Security - fails to process login with a landing page having dynamic jsp:include

I spent 10 mins in vain to aptly Title this post. but I still dont think I did justice.

While working with Acegi, I discovered a problem in a srange use case.

this post assumes intermediate-advanced level knowledge of Acegi

Acegi has a SecurityContextHolderAwareRequestFilter that filters requests accessing secure pages when SecurityContextHolder doesnot have a securityToken yet. So if user accesses /root/secure/resource , and he is not yet logged in, the request is redirected to /login (defined in AuthenticationProcessingFilterEntryPoint)

now, The request uri along with params if any are wrapped into SavedRequestWrapper, so it can be used to redirected to once the login is successful.

The SavedRequestWrapper implments HttpServletRequest so a getParam on this will return the params from /login request first and then /root/secure/resource after the redirect.

This is simple so far. But when the /root/secure/resource has a jsp:include page="/root/secure/resource2" things get complicated if both resources have some param keys. say:

/root/secure/resource?action1=method1 and included jsp is /root/secure/resource2?action2=metod2
and /root/secure/resource?action=method1 is accessed with out login

So the filter saves this request and creates a redirects it to /login once you login, The jsp:include kicks in, and adds the method2 to the action param so request will now have action2=method2&action1=method1. However, The saved request is trying to redirect all successfully logged in requests with a param map action=method1, so we lost method have a null value for action2.

I raised a bug ( and someone already fixed it )in Spring JIRA. How?

By always letting the new request supercede the old one.

Popular posts from this blog

Javascript: Convert Strings to Binary (and representing in a nerdy way!)

I follow those GoogleDevelopers Videos . Sometime back, in one of the presentations on GoogleIO, there was this interesting string of dots at the bottom of each page of the presentation . They looked like random big and small dots. A similar bunch of dots were also on the T-shirt of a presenter was wearing in another presentation . While it seemed something in the pattern, I could not find what it was. Finally, another presenter cleared the matter that those dots are just binary representation of "GOOGLEIO" (So much for advertizing Google IO, Impressive!). So I wanna do it. Takes me back to days of those DSP classes at school. Nerdy me had to churn some old brain cells. I remember those first programming language classes in Pascal and C when you were asked to do fibonacci series and converting a binary string to ascii codes. That *experience* came handy here: Check it out! Text to Binarize: For those who came to copy the javascript code to convert string to binary,

MySql Copying Table Structures.

Some times you need to copy only table structures across databases. This article describes two ways of doing it. If the whole database schema need to be exported, mysqldump is very effective. A --nodata flag will dump all tables' schema. Like this. mysqldump --nodata -p -u username databaseName But if you want to copy a specific table, individually, you could use "create table like" feature. You could create it even from a different database. However it must be on the same mysqld instance. Like this. create table newtable like oldtable; --Or from a table in other database create table mytable like otherdatabase.tablename;

javascript maxlength for textarea with \r\n breaks in java (esp Firefox)

Textareas allow new lines to enter. These are represented by \n (1) or \r\n (2) characters. But when you save to DB you have a limit to certain length of chars. There is no maxlength attribute in HTML that will stop you from entering data. This is generally acomplished by Javascript. You do a onkeyup hook and stop event or trim after textarea.value.length > maxlength. There are many other solutions out there.. But.. Here is the problem that most of those solutions overlook, How do you deal with the count on \n and \r\n representations. Lets first see how it matters. If the text entered has new lines, the length is calculated differently in Firefox and IE. When you enter a Text like 01234 567890 You expect the textarea.value.length to be 11. (10 chars + new line).On the backend, however, java would recieve it as 12 chars (10 chars + \r\n) (this is irrespective of FF or IE). So you are effectively saving 12 chars to DB. Worse yet, IE seems to figure textarea.value.length as 12 (