Skip to main content

Acegi Security - fails to process login with a landing page having dynamic jsp:include

I spent 10 mins in vain to aptly Title this post. but I still dont think I did justice.

While working with Acegi, I discovered a problem in a srange use case.

this post assumes intermediate-advanced level knowledge of Acegi

Acegi has a SecurityContextHolderAwareRequestFilter that filters requests accessing secure pages when SecurityContextHolder doesnot have a securityToken yet. So if user accesses /root/secure/resource , and he is not yet logged in, the request is redirected to /login (defined in AuthenticationProcessingFilterEntryPoint)

now, The request uri along with params if any are wrapped into SavedRequestWrapper, so it can be used to redirected to once the login is successful.

The SavedRequestWrapper implments HttpServletRequest so a getParam on this will return the params from /login request first and then /root/secure/resource after the redirect.

This is simple so far. But when the /root/secure/resource has a jsp:include page="/root/secure/resource2" things get complicated if both resources have some param keys. say:

/root/secure/resource?action1=method1 and included jsp is /root/secure/resource2?action2=metod2
and /root/secure/resource?action=method1 is accessed with out login

So the filter saves this request and creates a redirects it to /login once you login, The jsp:include kicks in, and adds the method2 to the action param so request will now have action2=method2&action1=method1. However, The saved request is trying to redirect all successfully logged in requests with a param map action=method1, so we lost method have a null value for action2.

I raised a bug ( and someone already fixed it )in Spring JIRA. How?

By always letting the new request supercede the old one.

Popular posts from this blog

One page Stock

Alright.. That was a long absence. The whole last week I dint blog. I dint go away. I was "occupied". I was learning stock trading. Its very fascinating. I have a good weeeked blog for you all. Here is my experience. I can literally hyper-link every word from the following paragraphs, but I am writing it as simple as I can so you can look up the italicised words in wikipedia . I got a paper trading account from a brokerage firm . You need one brokerage account first. Then it can be an Equity account where all your money is yours or a Margin account , where some of the money is lent by the brokerage firm. Then I get Buying power , which is the dollor value of how much stocks you can buy. I can make profit by simple rules. Buy when Price is low. Sell when price is high. There is another more intersting way of earning money. Selling short . Thats when price is not high, per say, but when are confident that the price WILL go down. then buy back when its lowest. This is what

Powered By

As it goes, We ought to give thanks to people who power us. This page will be updated, like the version page , to show all the tools, and people this site is Powered By! Ubuntu GIMP Firebug Blogger Google [AppEngine, Ajax and other Apis] AddtoAny Project Fondue jQuery

classpath*: making your Modular Spring Resources

Spring gives multiple options to load XML resources for building contexts. the reference documentation does explain this feature quite well. However, I am taking my shot at explaining the different practical scenarios ( by order of growing modularisation) For Example, A simplest Spring based web Context Loader can be configured with resources like this <context-param> <param-name>contextConfigLocation</param-name> <param-value>applicationContext.xml</param-value> </context-param> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> You just need to put applicationContext.xml in WEB-INF/ folder of your webapp. However, Typically an application is n-tiered. You can also have multiple files setup and in relative paths. like <param-value> context-files/applicationContext.xml context-files/dao.xml context-files/service.xml </param-value>