Skip to main content

Acegi Security - fails to process login with a landing page having dynamic jsp:include

I spent 10 mins in vain to aptly Title this post. but I still dont think I did justice.

While working with Acegi, I discovered a problem in a srange use case.

this post assumes intermediate-advanced level knowledge of Acegi

Acegi has a SecurityContextHolderAwareRequestFilter that filters requests accessing secure pages when SecurityContextHolder doesnot have a securityToken yet. So if user accesses /root/secure/resource , and he is not yet logged in, the request is redirected to /login (defined in AuthenticationProcessingFilterEntryPoint)

now, The request uri along with params if any are wrapped into SavedRequestWrapper, so it can be used to redirected to once the login is successful.

The SavedRequestWrapper implments HttpServletRequest so a getParam on this will return the params from /login request first and then /root/secure/resource after the redirect.

This is simple so far. But when the /root/secure/resource has a jsp:include page="/root/secure/resource2" things get complicated if both resources have some param keys. say:

/root/secure/resource?action1=method1 and included jsp is /root/secure/resource2?action2=metod2
and /root/secure/resource?action=method1 is accessed with out login

So the filter saves this request and creates a redirects it to /login once you login, The jsp:include kicks in, and adds the method2 to the action param so request will now have action2=method2&action1=method1. However, The saved request is trying to redirect all successfully logged in requests with a param map action=method1, so we lost method have a null value for action2.

I raised a bug ( and someone already fixed it )in Spring JIRA. How?

By always letting the new request supercede the old one.

Popular posts from this blog

Being a Vegetarian

I am a Proud Vegetarian. I don't eat Meat or Eggs. People say its hard here in US to be one. I beg to differ. The mere fact that I am hail and healthy these 4 years is a definitive proof. Apart from being bullied and trash talked by The Meat-Eaters, There is really nothing that makes this choice of mine any more than a debatable issue at a lunch or dinner. Other things aside, I am writing this blog having watched a PETA Video. Before you click on the play button, I ask you - If you are a vegetarian : Dont watch it. If you are not : Dare to watch it till the end. If you think going veg is just a fashion, think again . Even if you just want to do it for Fashion . Do it. Go Vegetarian. And Feel better asking the waiter for a Vegetarian Entrée in your next lunch.

Using Equinox CommandProvider to make OSGi console interactive.

After fiddling with the First Bundles that "Hello World"-ed upon Activation, You want to see more interactivity in OSGi. Although Using OSGi for an interactive Command Line Application would be like this one would be, well, a callable over-kill, I am going to start with an example and Expand it in later posts. So, please Welcome CommandProvider. CommandProvider is an EQUINOX specific API for extending the Console. This basic Example illustrates how to get a command from console and do something in java and also gets your feet wet on Service Registry package com.so.examples.commandconsole; import org. eclipse .osgi.framework.console .CommandInterpreter; import org.eclipse.osgi.framework.console.CommandProvider; public class DisplayMessageCommand implements CommandProvider { public void _say(CommandInterpreter ci) { ci.print("You said:" + ci.nextArgument()); } @Override public String getHelp() { return "\tsay - repeats what you say\n"; } }

How to Make a Local (Offline) Repository in Ubuntu / Debian

If you are in a place where you dont have internet (or have a bad one) You want to download .deb packages and install them offline. Each deb file is packaged as a seperate unit but may contain dependencies (recursively). apt-get automagically solves all the dependencies and installs all that are necessary. Manually install deb files one by one resolving each dependency would be tedious. A better approach is to make your own local repository. Before you actually make a repo, You need *all* deb files. You dont practically have to mirror all of the packages from the internet, but enough to resolve all dependencies. Also, You have to make sure, you are getting debs of the correct architecture of your system (i386 etc) # 1. make a dir accessible (atleast by root) sudo mkdir /var/my-local-repo # 2. copy all the deb files to this directory. # 3. make the directory as a sudo dpkg-scanpackages /var/my-local-repo /dev/null > \ /var/my-local-repo/Packages # 4. add the local repo to sour