2

My JSF application redirects any user who is not logged in to the login page. When the user logs in, I want the application to redirect to the page the user has initially entered in the browser's adress bar. But I don't know how to access the url the user has initially entered, since he is automatically redirected to the login page which I configured in the web.xml.

Theo
  • 3,074
  • 7
  • 39
  • 54
  • So, you're using container managed security, as in `j_security_check`? – BalusC Nov 05 '10 at 11:06
  • Yes, I'm using container managed security. But when logging in, I'm using HttpServletRequest.login(username, password) instead of j_security_check. – Theo Nov 05 '10 at 11:09
  • 1
    Hint, use `@nickname` like `@BalusC` to notify others about comments on posts which are not of themselves. Otherwise you're dependent on whether the one will look back later in the topic or not (often not). See also http://meta.stackexchange.com/questions/43019/how-do-comment-replies-work – BalusC Nov 05 '10 at 12:10

1 Answers1

5

The container managed security doesn't have any API-provided facilities for this. Your best bet is to replace the <login-config> by a Filter class which does roughly like this:

HttpServletRequest httpreq = (HttpServletRequest) request;
HttpServletResponse httpres = (HttpServletResponse) response;
if (httpreq.getUserPrincipal() == null) {
    httpreq.getSession().setAttribute("from", httpreq.getRequestURI());
    httpres.sendRedirect("login.jsf");
} else {
    chain.doFilter(request, response);
}

And then in your login thing:

request.login(username, password);
externalContext.redirect((String) request.getSession().getAttribute("from"));
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • I just dug this answer back up, thinking about the filter for [this question](http://stackoverflow.com/questions/4413407/). Great answer, of course. It really sucks that there's no API for this - it seems like a common enough use case. I'm curious: if you remove the `` from `web.xml`, does `request.login(username, password);` still work? How? – Matt Ball Dec 10 '10 at 22:16
  • @Matt: Yes, it will work. It's just the new Servlet 3.0 programmatic replacement which does the same as `` (in combination with the filter's ``). You however have still to keep the `` entry and the users/passwords/roles in a realm. – BalusC Dec 10 '10 at 22:36
  • How should login-config be set in the deployment descriptor for this to work properly? If i remove the form authentication, the web browser sets request.userPrincipal to a cached value so (httpreq.getUserPrincipal() == null) will be false. If I do turn on form authentication, the filter is not run at all since the container takes over. – Rasmus Franke Jan 28 '11 at 09:40
  • @Ramsus: it should be removed. The answer also states *"replace login-config by this filter"*. As to the browser setting with a cached value, you may need to turn off browser caching of protected pages (which can be done in the same filter as good). – BalusC Jan 28 '11 at 11:42
  • If you are using GlassFish 3 servers, you will need to remove the login-config element that is added to a domain's default-web.xml file. See http://stackoverflow.com/questions/10126792/jsf-implementing-filter-for-restricted-pages for more info. – vkraemer Apr 13 '12 at 16:28