Uploaded image for project: 'JBoss Web'
  1. JBoss Web
  2. JBWEB-307

FormAuthenticator doesn't restore SavedRequest body after login

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Blocker
    • Resolution: Unresolved
    • Affects Version/s: JBossWeb-7.0.13.GA
    • Fix Version/s: None
    • Component/s: Tomcat
    • Labels:
      None

      Description

      i'm porting my application from tomcat to jboss as 7.1.1 final. it include smartgwt, spring.

      i use jaas login:

      <form method="POST" action="j_security_check">tion="j_security_check">

      to my custom login class which implements javax.security.auth.spi.LoginModule

      after login goes well, the execution flow goes to my spring controller:

      @RequestMapping(value="/all", method=RequestMethod.POST)
      @ResponseBody
      public String all(@RequestBody String json,HttpSession session, HttpServletRequest servletrequest) throws Exception {

      but the "json" parameter is null.

      The cause seems to be in this method

      public boolean authenticate(Request request,
      HttpServletResponse response,
      LoginConfig config)

      in org.apache.catalina.authenticator.FormAuthenticator class, in the last part, after the .authenticate:

      principal = realm.authenticate(username, password);
      if (principal == null)

      { forwardToErrorPage(request, response, config); return (false); }

      if (log.isDebugEnabled())
      log.debug("Authentication of '" + username + "' was successful");

      if (session == null)
      session = request.getSessionInternal(false);
      if (session == null)

      { if (containerLog.isDebugEnabled()) containerLog.debug ("User took so long to log on the session expired"); response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT, sm.getString("authenticator.sessionExpired")); return (false); }

      // Save the authenticated Principal in our session
      session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal);

      // Save the username and password as well
      session.setNote(Constants.SESS_USERNAME_NOTE, username);
      session.setNote(Constants.SESS_PASSWORD_NOTE, password);

      // Redirect the user to the original request URI (which will cause
      // the original request to be restored)
      requestURI = savedRequestURL(session);
      if (log.isDebugEnabled())
      log.debug("Redirecting to original '" + requestURI + "'");
      if (requestURI == null)
      response.sendError(HttpServletResponse.SC_BAD_REQUEST,
      sm.getString("authenticator.formlogin"));
      else
      response.sendRedirect(response.encodeRedirectURL(requestURI));
      return (false);

      in debug i've found my json: in session there is a "note" field which contains a SavedRequest object:

      https://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/authenticator/SavedRequest.html

      it is a container of the request before login, and it has my json in his body field. its uri is restored (line #32) not the entire request. i suppose it should make a call of
      session.setNote(Constants.FORM_REQUEST_NOTE, saved);
      in every cases, like it does for SESS_USERNAME_NOTE, SESS_PASSWORD_NOTE and FORM_PRINCIPAL_NOTE

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                rmaucher Remy Maucherat
                Reporter:
                arachelva Diego Fiozzi
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: