Announcement Announcement Module
Collapse
No announcement yet.
IllegalStateException from call to response.sendRedirect in successfulAuthentication Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • IllegalStateException from call to response.sendRedirect in successfulAuthentication

    Hello!

    I have upgraded to Security 3.0.2, and ended up with the following issue: when I place a call to response.sendRedirect() from inside the method successfulAuthentication() - in UsernamePasswordAuthenticationFilter - I receive an IllegalStateException and the system redirects to the default successful authentication page.

    My requirement is that when user successfully authenticate, I must redirect him to a page according to a certain condition, and if that condition is false, I must redirect him to another page. That used to work before moving to Spring Security 3.0.

    Here is relevant part of my applicationContext-Security.xml:

    Code:
    
    <beans:beans ... >
    
        <security:http entry-point-ref="myAuthenticationEntryPoint" auto-config="false">
    		
    ...
    
    		<security:custom-filter position="FORM_LOGIN_FILTER" ref="authenticationProcessingFilter"/>
    
        </security:http>
    
    	<security:authentication-manager alias="authenticationManager">
    		<security:authentication-provider ref="MyCustomAuthenticationProvider"/>
    	</security:authentication-manager>
    
    	<beans:bean id="MyCustomAuthenticationProvider" class="br.com.smartnet.vrben.portal.security.CustomAuthenticationProvider">
    		<beans:property name="locator">
    			<beans:bean class="br.com.smartnet.vrben.portal.locator.ServiceLocator" />
    		</beans:property>
    	</beans:bean>	
    
    	<beans:bean id="myAuthenticationEntryPoint" class="br.com.smartnet.vrben.portal.security.CustomAuthenticationEntryPoint" >	
    		<beans:property name="loginFormUrl" value="/index.html" />
    		<beans:property name="forceHttps" value="false" />
    		
    	</beans:bean>
    
    	<beans:bean id="authenticationProcessingFilter" class="br.com.smartnet.vrben.portal.security.CustomAuthenticationProcessingFilter">
    
    		<beans:property name="authenticationManager" ref="authenticationManager" />
    		<beans:property name="authenticationFailureHandler" ref="failureHandler" />
    		<beans:property name="authenticationSuccessHandler" ref="successHandler" />
    		<beans:property name="sessionAuthenticationStrategy" ref="sessionFixationProtectionStrategy"/>
    		<beans:property name="filterProcessesUrl" value="/j_spring_security_check" />
    		<beans:property name="locator">
    			<beans:bean class="br.com.smartnet.vrben.portal.locator.ServiceLocator" />
    		</beans:property>
    	</beans:bean>
    
    	 
    	 <beans:bean id="successHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler" >
    		<beans:property name="defaultTargetUrl" value="/index.html" /> 
    	</beans:bean>
    	<beans:bean id="failureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler" >
    		<beans:property name="defaultFailureUrl" value="/index.html?authfailed=true" />
    	</beans:bean>
    	<beans:bean id="sessionFixationProtectionStrategy" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
    		<beans:property name="migrateSessionAttributes" value="true" />
    	</beans:bean>
    	 
    </beans:beans>

    Here is the relevant part of my CustomAuthenticationProcessingFilter, which extends UsernamePasswordAuthenticationFilter:


    Code:
    	@Override
    	protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, Authentication authResult) throws IOException, ServletException {
    
    		logger.info("login successful: " + authResult.getDetails());
    		super.successfulAuthentication(request, response, authResult);
    
    		// if user is a member of ROLE_PATROCINADOR, redirects them
    		// to the sponsor's page
    
    		if(isUserPatrocinador(request)) {
    			logger.info("redirecting to the patrocinador's page: " + request.getContextPath() + PATROCINADOR_VIEW);
    			response.sendRedirect(response.encodeRedirectURL(request.getContextPath() + PATROCINADOR_VIEW));
    		} else {
    
    			Usuario usuario = recuperarUsuarioLogado();
    
    			if( usuario != null ){
    
    				try {
    
    					List<Programa> programas = locator.getProgramaInterface().selecionarProgramasdoBeneficiario(usuario.getChave());
    
    					String redirectUrl = request.getContextPath();
    					
    					if( programas.size() == 1 ){
    						//if size == 1 redirect to another URL 
    						Programa programa = programas.iterator().next();
    						String codPrograma = programa.getCodigoPrograma();
    						redirectUrl = redirectUrl + PROGRAMA_VIEW + "?idPrograma=" + codPrograma;
    						
    					} else {
    						redirectUrl = redirectUrl + MEUS_PROGRAMAS_VIEW;
    					}
    
    					String encodedUrl = response.encodeRedirectURL( redirectUrl );
    					
    					response.sendRedirect( encodedUrl );  ==> HERE IS WHERE THE PROBLEM HAPPENS
    
    					
    				} catch (Exception e) {
    
    					logger.error("Erro ao tentar realizar o redirecionamento do usuario autenticado." + e.getMessage(), e);
    					logger.error("Causa: " + e.getCause().getMessage() + " - Redirecionando para a página principal.");
    					 
    					response.sendRedirect(response.encodeRedirectURL(request.getContextPath() + MAIN_VIEW));
    
    				}
    
    			}
    
    		}
    		
    	}
    And here is the log of the error thrown:

    Code:
    
    [07/04/10 19:47:53:172 BRT] 00000025 SystemOut     O 19:47:53,172  INFO CustomAuthenticationProcessingFilter,WebContainer : 3:41 - login successful: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: gUraxa6NbqE2z3JxEe6qF6V
    [07/04/10 19:47:53:188 BRT] 00000025 SystemOut     O 19:47:53,188  INFO ERROR CustomAuthenticationProcessingFilter,WebContainer : 3:80 - Error while trying to redirect authenticated user:  null
    java.lang.IllegalStateException
    	at com.ibm.ws.webcontainer.webapp.WebAppDispatcherContext.sendRedirectWithStatusCode(WebAppDispatcherContext.java:484)
    	at com.ibm.ws.webcontainer.webapp.WebAppDispatcherContext.sendRedirect(WebAppDispatcherContext.java:441)
    	at com.ibm.ws.webcontainer.srt.SRTServletResponse.sendRedirect(SRTServletResponse.java:1036)
    	at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:170)
    	at org.springframework.security.web.context.SaveContextOnUpdateOrErrorResponseWrapper.sendRedirect(SaveContextOnUpdateOrErrorResponseWrapper.java:74)
    	at br.com.xxx.yyy.portal.security.CustomAuthenticationProcessingFilter.successfulAuthentication(CustomAuthenticationProcessingFilter.java:75)
    	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:219)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    	at org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:109)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149)
    	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
    	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
    	at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:190)
    	at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:130)
    	at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:87)
    	at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:834)
    	at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:744)
    	at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:697)
    	at com.ibm.ws.wswebcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:118)
    	at com.ibm.ws.webcontainer.extension.DefaultExtensionProcessor.invokeFilters(DefaultExtensionProcessor.java:818)
    	at com.ibm.ws.webcontainer.extension.DefaultExtensionProcessor.handleRequest(DefaultExtensionProcessor.java:768)
    	at com.ibm.ws.wswebcontainer.extension.DefaultExtensionProcessor.handleRequest(DefaultExtensionProcessor.java:113)
    	at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:3440)
    	at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:267)
    	at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:815)
    	at com.ibm.ws.wswebcontainer.WebContainer.handleRequest(WebContainer.java:1461)
    	at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:118)
    	at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:458)
    	at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:387)
    	at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:267)
    	at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214)
    	at 
    
    ...
    Appreciate any help. Thanks IN ADVANCE!!!

  • #2
    Anyone

    Can anyone help me?? Thanks...

    Comment


    • #3
      You'll need to work out why websphere is throwing IllegalStateException (with a null message, not very helpful).

      I would try and replicate the error in Tomcat and see why the error is happening. Perhaps the response is already committed for some reason.

      Comment


      • #4
        Originally posted by Luke Taylor View Post
        You'll need to work out why websphere is throwing IllegalStateException (with a null message, not very helpful).

        I would try and replicate the error in Tomcat and see why the error is happening. Perhaps the response is already committed for some reason.
        Luke, thanks for your reply!

        I'll try that right now... I've been stuck in this error for the last 2 days... But is there any reason this was not happening in SSecurity 2.0 and came up just after upgrading to 3.0??

        Thanks....

        Comment


        • #5
          Not that I'm aware of. The net result should be the same - a redirect from the authentication filter.

          Comment


          • #6
            Luke, it keeps failing under Tomcat 6. Same error.

            Here is the stack:


            Code:
            08/04/2010 12:00:00 org.apache.catalina.core.StandardWrapperValve invoke
            SEVERE: Servlet.service() for servlet default threw exception
            Throwable occurred: java.lang.IllegalStateException
            	at org.apache.catalina.connector.ResponseFacade.sendRedirect(ResponseFacade.java:435)
            	at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:126)
            	at org.springframework.security.web.context.SaveContextOnUpdateOrErrorResponseWrapper.sendRedirect(SaveContextOnUpdateOrErrorResponseWrapper.java:74)
            	at br.com.xxx.yyy.portal.security.CustomAuthenticationProcessingFilter.successfulAuthentication(CustomAuthenticationProcessingFilter.java:93)
            	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:219)
            	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
            	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
            	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
            	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
            	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
            	at org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:109)
            	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
            	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149)
            	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
            	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
            	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
            	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
            	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
            	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
            	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
            	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
            	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
            	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
            	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
            	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
            	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
            	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
            	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
            	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
            	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
            	at java.lang.Thread.run(Thread.java:735)
            11:59:59,998 DEBUG HttpSessionSecurityContextRepository,http-8080-1:351 - SecurityContext stored to HttpSession: '[email protected]7d479: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@8db7d479: Principal: br.com.smartnet.vrben.domain.Usuario@525d525d; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: E28621072DA9FD15B7DB8362AA221C76; Granted Authorities: br.com.smartnet.vrben.domain.Role@526e526e'
            12:00:00,014 ERROR CustomAuthenticationProcessingFilter,http-8080-1:90 - Erro ao tentar realizar o redirecionamento do usuario autenticado.null
            java.lang.IllegalStateException
            	at org.apache.catalina.connector.ResponseFacade.sendRedirect(ResponseFacade.java:435)
            	at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:126)
            	at org.springframework.security.web.context.SaveContextOnUpdateOrErrorResponseWrapper.sendRedirect(SaveContextOnUpdateOrErrorResponseWrapper.java:74)
            	at br.com.xxx.yyy.portal.security.CustomAuthenticationProcessingFilter.successfulAuthentication(CustomAuthenticationProcessingFilter.java:85)
            	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:219)
            	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
            	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
            	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
            	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
            	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
            	at org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:109)
            	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
            	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149)
            	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
            	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
            	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
            	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
            	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
            	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
            	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
            	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
            	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
            	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
            	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
            	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
            	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
            	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
            	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
            	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
            	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
            	at java.lang.Thread.run(Thread.java:735)
            As we know it is not because of WebSphere, is there any other possibility, any other filter to use, to try putting the redirect somewhere AFTER unsuccessfulAuthentication() ???

            Comment


            • #7
              Since you can look at the source for tomcat (unlike websphere), you can see that the response has already been committed, so an IllegalStateException is raised as per the servlet spec.

              You need to work out why that is. Sending the redirect later won't make any difference.

              Comment


              • #8
                Man, I spent the whole day trying to locate the problem, but after lots of debugging and source checking, all I can say is that, in the moment the sendRedirect() is called, it raises the IllegalStateException. During the debug process, when I stop on the 'sendRedirect()' as I press F5 (debug step) it goes directly to the IllegalArgumentException constructor, and the cause and message are null.

                Is there any difference if I use RequestDispatcher.dispatch(request, response)?

                I'll continue trying next monday, when I get back to the office...

                But tell me: is the work being done in the right place??? I mean, is "UsernamePasswordAuthenticationFilter" - successfulAuthentication() the best place to call sendRedirect() ???

                Thanks in advance...

                Comment


                • #9
                  It's not really a question of what is the right place - more about what has been done with the response prior to that point. Something must have been written to it to cause it to be committed. You could either debug the response object directly or create a response wrapper which will allow you to monitor calls on the object.

                  Comment


                  • #10
                    Originally posted by Luke Taylor View Post
                    It's not really a question of what is the right place - more about what has been done with the response prior to that point. Something must have been written to it to cause it to be committed. You could either debug the response object directly or create a response wrapper which will allow you to monitor calls on the object.
                    This change from version 2 to 3.
                    I have the some problem.
                    On version 2.x it was possible to implement the interface TargetUrlResolver with our custom code.
                    The only way I found to implement this custom behaviour in 3.0.2 - redirect to a specific page by a condition after authentication - was to apply the some technique used with filters: a request wrapper.
                    That state illegal exception appear in my opinion from the some reason that we can't modify the request in a filter, without a wrapper.
                    So if someone has another solution I would appreciate. Mine, was to extend the SimpleUrlAuthenticationSuccessHandler with the some code of the the SavedRequestAwareAuthenticationSuccessHandler and put my condition in a wrapper, like this

                    PHP Code:
                    public class RoleBasedAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {

                        protected final 
                    Log logger LogFactory.getLog(this.getClass());
                        private 
                    RequestCache requestCache = new HttpSessionRequestCache();

                        @
                    Override
                        
                    public void onAuthenticationSuccess(HttpServletRequest requestHttpServletResponse response,
                                
                    Authentication authenticationthrows ServletExceptionIOException {
                            
                    SavedRequest savedRequest requestCache.getRequest(requestresponse);

                            if (
                    containsAdminAuthority(authentication)) {
                                
                    HttpServletRequestWrapper wrapper =
                                        new 
                    HttpServletRequestWrapper((HttpServletRequestrequest) {
                                            @
                    Override
                                            
                    public String getParameter(String parameter) {
                                                if (
                    parameter.equals("spring-security-redirect")) {
                                                    return 
                    "/admin.htm";
                                                }
                                                return 
                    null;
                                            }
                                        };

                                
                    requestCache.removeRequest(requestresponse);
                                
                    super.onAuthenticationSuccess(wrapperresponseauthentication);
                                return;
                            }

                            if (
                    savedRequest == null) {
                                
                    super.onAuthenticationSuccess(requestresponseauthentication);

                                return;
                            }

                            if (
                    isAlwaysUseDefaultTargetUrl() || StringUtils.hasText(request.getParameter(getTargetUrlParameter()))) {
                                
                    requestCache.removeRequest(requestresponse);
                                
                    super.onAuthenticationSuccess(requestresponseauthentication);

                                return;
                            }

                            
                    // Use the DefaultSavedRequest URL
                            
                    String targetUrl savedRequest.getRedirectUrl();
                            
                    logger.debug("Redirecting to DefaultSavedRequest Url: " targetUrl);
                            
                    getRedirectStrategy().sendRedirect(requestresponsetargetUrl);
                        }

                        public 
                    void setRequestCache(RequestCache requestCache) {
                            
                    this.requestCache requestCache;
                        }

                        private 
                    boolean containsAdminAuthority(final Authentication auth) {
                            for (final 
                    GrantedAuthority grantedAuthority auth.getAuthorities()) {
                                if (
                    grantedAuthority.getAuthority().equals(
                                        
                    MyRoles.ADMIN_ROLE.roleName())) {
                                    return 
                    true;
                                }
                            }
                            return 
                    false;
                        }

                    In my case I'm using a enum(MyRoles) to get the condition and then I change the original with a wrapper. When the targetUrl is evaluated upstream it calls the getParameter("spring-security-redirect") - see the source.
                    It works. Of course that inner class of the wrapper can be a autonomous method with other parameters.
                    I dont use namespace so I cant help in that matter. In my bean for the UsernamePasswordAuthenticationFilter I put may custom authenticationSuccessHandler like this:

                    PHP Code:
                    <bean id="formLoginFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
                            <
                    property name="authenticationManager" ref="authenticationManager" />
                            <
                    property name="rememberMeServices" ref="rememberMeServices" />
                            <
                    property name="authenticationSuccessHandler">
                                <!--<
                    bean class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">-->
                                <
                    bean class="org.anarca.springsecuritytest.RoleBasedAuthenticationSuccessHandler">
                                    <
                    property name="defaultTargetUrl" value="/home.htm" />
                                </
                    bean>
                            </
                    property>
                    ... 

                    Again: If someone has a better way...

                    Comment


                    • #11
                      These are just the redesign changes related to how the user is redirected after logging in. This has no bearing on why the response has committed. That has nothing to do with "modifying the request in a filter".

                      Comment


                      • #12
                        Originally posted by Luke Taylor View Post
                        These are just the redesign changes related to how the user is redirected after logging in. This has no bearing on why the response has committed. That has nothing to do with "modifying the request in a filter".
                        Hello Luke.
                        I think that that the user case presented by cirorezende was exactly the some that I exposed.
                        And I got exactly the some error when I try something like him, by example using the:

                        Code:
                        MyTargetUrl = "/xxx.html"
                        getRedirectStrategy().sendRedirect(request, response, MyTargetUrl);
                        when extending SimpleUrlAuthenticationSuccessHandler.

                        But if there is a better way to obtain the desired result...

                        Comment


                        • #13
                          You said

                          That state illegal exception appear in my opinion from the some reason that we can't modify the request in a filter, without a wrapper.
                          The exception comes from a call to response.sendRedirect(). If you check the servlet spec or Javadoc (or as above, the Tomcat source) you will see that this raises an IllegalStateException "If the response has already been committed".

                          So the issue is not related to accessing the request object.

                          Comment


                          • #14
                            Originally posted by Luke Taylor View Post
                            You said



                            The exception comes from a call to response.sendRedirect(). If you check the servlet spec or Javadoc (or as above, the Tomcat source) you will see that this raises an IllegalStateException "If the response has already been committed".

                            So the issue is not related to accessing the request object.
                            Luke, the reason is your side.
                            I look again to the original code and is invoking a response.redirect and I was mistaken because I struggle with the some problem, but not using the response, of course.

                            Comment


                            • #15
                              Hi guys,

                              I get the same error with tomcat, but that works when I use jetty.

                              Any update on that stuff?

                              Thanks.

                              Comment

                              Working...
                              X