4

I'm going to rewrite my previous question.

Glassfish redirects after form login to the last accessed resource, how do I go about to turn this off?

Our problem is that we get 415 in FF and IE because if I have a JSESSION cookie Glassfish will redirect to the last resource I tried to access but does not switch content type from (x-form-urlencoded).

Pseudo example (requests are the browsers' XMLHttpRequest):

GET /secure/resouce1 (json) -> Response "you're not logged in."
GET /login.xhtml
POST /j_secure (x-form-urlencoded) -> New location /secure/resource1 (x-form-urlencoded)
GET /secure/resource1 (x-form-urlencoded) <- HTTP ERROR 415 content type not JSON.
Magnus
  • 3,691
  • 5
  • 27
  • 35
  • what do you expect it to do if not redirect? how can it proceed? are the resources mentioned RESTful resources? – Dror Bereznitsky Apr 19 '13 at 20:00
  • Yes, all the resources are RESTful (except for login). I want it to either go to a predefined URL ie. the welcome file OR have it set another response type. The AJAX-call fails because of the redirect and response type combination. Even though the authentication is successful. – Magnus Apr 22 '13 at 06:56

3 Answers3

0

You will probably need to write a Filter to check for and catch that case. I like this tutorial (hoping the translation to English is understandable).

Matthias Ronge
  • 9,403
  • 7
  • 47
  • 63
  • That is what I'm actually doing to circumvent it but it is not working so far. Glassfish does the redirect before any request reaches the container. By then the response type is already set to `application/x-form-urlencoded`. – Magnus Apr 22 '13 at 07:11
  • Did I get it right: The problem is that your app doesn’t return JSON because the browser submits the unwanted response type? This should mean to modify the request before calling `chain.doFilter(request, response);` Or didn’t I get it yet? – Matthias Ronge Apr 22 '13 at 10:24
  • Modifying the request is a bit tricky, the solution is [here](http://stackoverflow.com/questions/1413129/modify-request-parameter-with-servlet-filter) – Matthias Ronge Apr 22 '13 at 10:33
0

In my opinion it is better to use Basic or Digest authentication over SSL for RESTful services. Other options are including the credentials as part of the payload or creating a dedicated login service, which accepts credentials and returns a token. There are various reasons why form based authentication is less suitable for RESTful service: it requires a session, it does not use the existing HTTP Authorization and more.
If you need to call your RESTful service using AJAX then using a cookie for authentication can be a valid solution. They should only affect if the user can make a call, but not how the server responds.

If you would like to keep using form based authentication for your application I would suggest adding an additional JAAS authentication provider which will handle the RESTful services authentication. You can read more about it here.

Another option, which should be easier than JAAS, would be using Spring Security or Apache Shiro instead of the container based authentication. Here is an example of configuring form based authentication with Spring Security. This post shows an example of how to secure RESTful services using Spring Security.

Community
  • 1
  • 1
Dror Bereznitsky
  • 20,048
  • 3
  • 48
  • 57
  • I agree with that form login i problematic, but I'm locked down to Glassfish. As for Basic Auth I understood it as problematic since it resends the authentication every request and I loose any simple way of actually logging out. Cookie based auth I agree with, do you have any suggestions regarding that which work with Glassfish (ie plugins etc)? – Magnus Apr 23 '13 at 12:48
  • I would try creating a custom JAAS login module - http://docs.oracle.com/cd/E19587-01/821-0027/gepfq/index.html – Dror Bereznitsky Apr 23 '13 at 13:26
  • Another option is using Spring Security or Apache Shiro instead of standard JEE security – Dror Bereznitsky Apr 23 '13 at 13:50
0

in your login page

reset the JSESSIONID cookie to prevent redirect last page

// login_form.jsp

Cookie jsess = new Cookie("JSESSIONID", null);

jsess.setMaxAge(0);

jsess.setPath(pageContext.getServletContext().getContextPath());

response.addCookie(jsess);

Arien Chen
  • 1,262
  • 9
  • 3