I read some information about my issue here java.lang.IllegalStateException: Cannot (forward | sendRedirect | create session) after response has been committed
but I didn't manage to solve my problem with it.
I've got a index.jsp page which should only be accessible to authorized users. To do so, I use a java file which will feed the session with this information.
When I access my index, if the session is empty I go to my java part to check it, else I just display the content or not.
From my understanding, my issue is that I call this java part twice but I don't know where.
Could you please help me ?
Java code:
public class GroupeUtilisateur extends HttpServlet
{
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException,IOException
{
response.setContentType("text/html");
PrintWriter out = response.getWriter();
Connection connBDUtil = null;
String autorise = "";
autorise = CheckAuth.isAllowed(request, response, "IML-Thanact-Admin;IML-Thanact-User");
HttpSession session = request.getSession();
/* Mise en session d'une chaîne de caractères */
session.setAttribute( "autorisation", autorise );
String nextJSP = "/index.jsp";
RequestDispatcher dispatcher = getServletContext().getRequestDispatcher(nextJSP);
dispatcher.forward(request,response);
}
}
And this is my index.jsp (minus non important parts)
<%@ page language="java" import="java.util.*"%>
<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<%@ taglib uri = "http://java.sun.com/jsp/jstl/functions" prefix = "fn" %>
<%@ page session="true" %>
<head>
// In this script I initialise a datatable and some button will only be available for admin so I need to get the autorisation to
<script type='text/javascript' class='init'>
var authScript = '${sessionScope.autorisation}'; // Récupération de l'autorisation récupérée par GroupeUtilisateur.
</script>
</head>
<body>
<div class ="err"> <c:out value="${sessionScope.message}"/> </div>
<c:set var = "auth" scope = "session" value = "${sessionScope.autorisation}"/> <!-- Récupération de l autorisation pour la session -->
<!--
<div class ="err"> Log Autorisation : [<c:out value = "${auth}"/>] </div>
<div class ="err"> Log Autorisation sans var : [<c:out value = "${sessionScope.autorisation}"/>] </div>
-->
<c:choose>
<c:when test = "${empty auth}">
<div class ="err"> Empy session we go to the java part <c:out value="${sessionScope.autorisation}"/> </div>
<script language="javascript"> document.location.href="./GroupeUtilisateur/" </script>
</c:when>
<c:when test = "${!fn:contains(auth, 'Thanact-Admin') && !fn:contains(auth, 'Thanact-User')}">
<div class ="err">Vous n êtes pas habilité à utiliser cet écran. - [<c:out value = "${auth}" />]</div>
<br/>
<input type="button" name="back" value="Retour" onClick="parent.location='/Thanact/index.jsp'" class="buttonGrey">
</c:when>
<c:otherwise>
<!-- my data-->
</c:otherwise>
</c:choose>
</body>
</html>
Thanks a lot for your help !
EDIT: Ok so after further investigation I think I located the issue, but still don't know how to fix it. In fact to see if the user connected belong to the correct AD group we check the session. This is a method used in different app on our ecosystem, I didn't create it.
I think, it is the one who do this :
public class CheckAuth
{
//...
public static String isAllowed(
HttpServletRequest request,
HttpServletResponse response,
String groupMember,
String millPosition,
String forWhat) throws IOException, ServletException
{
//...
String auth = request.getHeader("Authorization");
if (auth == null)
{
response.setStatus(response.SC_UNAUTHORIZED);
response.setHeader("WWW-Authenticate", "NTLM");
response.flushBuffer();
return "KO" ;
}
//...
}
}
It looks like after setting the header, the servlet is called again. I need this bit because I can't get the username without.
How may I fix this ?
