Announcement Announcement Module
Collapse
No announcement yet.
Welcome page forward issue with Spring Security 3 and WAS 7.0 Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Welcome page forward issue with Spring Security 3 and WAS 7.0

    We have an application where we are using Spring Security 3.0. The app is deployed to WebLogic and WAS 7.0. The context root of our application is cdma. We have a Welcome file list as follows in web.xml:

    <welcome-file-list>
    <welcome-file>index.html</welcome-file>
    </welcome-file-list>

    and a servlet that handles this request:

    <servlet-mapping>
    <servlet-name>Login</servlet-name>
    <url-pattern>/index.html</url-pattern>
    </servlet-mapping>

    <servlet>
    <servlet-name>Login</servlet-name>
    <servlet-class>com.cdma.login.LoginServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
    </servlet>

    This is what we have in the spring-security.xml spring application context file:

    <!-- Grant access to everyone for the login page... -->
    <security:intercept-url pattern="/index.html" access="permitAll" />
    <security:intercept-url pattern="/**" access="isFullyAuthenticated()" />

    <!-- Custom handler that extends org.springframework.security.web.authenticationSav edRequestAwareAuthenticationSuccessHandler -->

    <bean id="customAuthenticationSuccessHandler"
    class="com.cdma.server.security.LocaleAppendingSav edRequestAwareAuthenticationSuccessHandler">
    <property name="defaultTargetUrl" value="/cdma.html" />
    <property name="requestCache" ref="customRequestCache" />
    </bean>

    In the case of Weblogic, when you type http://localhostort/cdma/ , the request gets resolved as /index.html, so Spring Security just redirects to the /index.html and when the user is authenticated it shows /cmda.html.

    The issue is in WAS 7. When you type http://localhostort/cdma/ in WAS 7.0, the request gets resolved as just "/" and not "/index.html", so Spring security saves the request in the HttpSessionRequestCache and redirects to /index.html. So now when the user is authenticated, instead of redirecting to /cdma.html it uses the saved request i.e just "/" and this again causes the redirect to /index.html.

    The workaround for this issue in WAS 7 is to use http://localhostort/cdma/index.html instead of http://localhostort/cdma/ to go to the login page.

    Any ideas for a solution, so that we can use http://localhostort/cdma/ to go to the login page on WAS 7 as well.

    I also read that WAS performs a FORWARD to the welcome page, while Weblogic treats a request to / as a REQUEST to the welcome page itself.

    Thanks.

  • #2
    Try mapping / as permitAll too.

    Comment


    • #3
      Then what should I put in the welcome file list in web.xml file?

      Thanks.

      Comment


      • #4
        I'm not sure if I am understanding your goal properly, but try the following:

        * Map / as permitAll
        * Make the welcome file do a redirect to your default target URL. This will cause the default target URL to be saved.

        Comment


        • #5
          The goal is to display the login page when the user types http://localhost: port/cdma/. And once authenticated, should be re-directed to the default target URL cmda.html. This works just fine for Weblogic as it correctly resolves http://localhost: port/cdma/ to http://localhost: port/cdma/index.html from the welcome file list.

          The issue is with WAS 7, which saves the request as "/" when the user types http://localhost: port/cdma/ and when authenticated does not re-direct to the target url "cdma.html", but uses the saved request i.e "/". This brings the user back to the login page.
          Last edited by springsecurityuser1; Feb 7th, 2012, 05:46 PM.

          Comment


          • #6
            I am sorry i did not intend to put those smileys. I had put ":" I guess i forgot to turn off the smileys.

            Comment


            • #7
              Did you try my suggestion?

              Comment


              • #8
                I was trying it out. Having some deploy issues with WAS 7. I will let you know the outcome. Thanks.

                Comment


                • #9
                  In the web.xml I made the following chagnes:
                  <welcome-file-list>
                  <welcome-file>cmda.html</welcome-file>
                  </welcome-file-list>
                  And in the spring security context file:
                  <security:intercept-url pattern="/" access="permitAll" />

                  This did not work. May be I understood it wrong. What did you mean by "Make the welcome file do a redirect to your default target URL."

                  Comment


                  • #10
                    I would update the welcome file list

                    Code:
                    <welcome-file-list>
                    <welcome-file>welcome.html</welcome-file>
                    </welcome-file-list>
                    welcome.html does redirect to cmda.html (which should be protected URL). This has the advantage in that Spring Security Filter will be certain to see the request properly as Welcome file is not consistent across containers.

                    Spring Security will then cache cmda.html

                    PS: Please use code tags in the future (i.e. the # button) as this makes it easier to read

                    Comment


                    • #11
                      Currently I have index.html as the Welcome file. When the browsers requests /index.html, its handled by the LoginServlet to generate the Login page, as it has some dynamic elements based on database configeration. As I mentioned earlier, the issue is with WAS 7. As per your suggestion if I put Welcome.html as the Welcome file and make it redirect to cdma.html, it would not work in WAS 7.

                      As when I would type the URL as http://localhost: port/cmda/, the request when it comes to Spring Security Filter would have the request path as "/" and not "/Welcome.html".

                      Everything works fine when the user types http://localhost: port/cmda/cdma.html(Spring Security caches the request and shows the login page) or types http://localhost: port/cmda/index.html(no caching)

                      What I want is that when the user types just http://localhost: port/cmda/ , it should show the login page and when authenticated, should show cdma.html, which is protected.

                      Comment


                      • #12
                        I have used this mechanism with WAS7, so I am sure it works. Make sure the welcome file is public (both the file and the /) and does a redirect to the protected default-target-url.

                        Comment

                        Working...
                        X