3

I have a secure portion of my simple Servlet app, and I need to pass parameters to the secure part of my app.

Flow:

  1. 3rd party needs to use my login mechanism (simple secure servlet)
  2. user attempts to go to: mycompany.com/loginApp/login?pref=1
  3. the "/login" url is secure, so the app server tells the browser to redirect to my login.jsp, but at this point the URL is updated to: mycompany.com/loginApp/login/login.jsp (notice that "?pref=1" is gone)

My web.xml's security looks like: 

    <security-constraint>
    <web-resource-collection>
        <web-resource-name>Secured</web-resource-name>
        <description></description>
        <url-pattern>/home</url-pattern>
        <url-pattern>/login</url-pattern>
        <url-pattern>/jsp/apps/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>

    <auth-constraint>
        <description>protectedlinks</description>
        <role-name>protected</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>mycompany.com</realm-name>
    <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/error.jsp</form-error-page>
    </form-login-config>
</login-config>

<security-role>
    <description>
    Protected portion of site</description>
    <role-name>protected</role-name>
</security-role>

Looking through the net, it appears that the AppServer does indeed do a redirect to the login.jsp when trying to access secure content: http://docs.oracle.com/javaee/5/tutorial/doc/bncbe.html#bncbq

What I would like to happen is that the "pref=1" somehow is persisted to the login.jsp and then submitted to the authentication servlet (verifies users in a DB).

Any advice on how to do this?

UPDATE A hidden parameter will not work. The browser has done a complete redirect, which has wiped away all of the request (including the "pref=1" param in the URL). Therefore, I can not include it as a hidden param on the form of my login.jsp.

UPDATE 2 The "pref" variable is dynamic, so it will not always be 1.

Thanks, Sean

Sean Charles
  • 267
  • 3
  • 18

2 Answers2

2

Add <input type="hidden" name="pref" value="1"/> inside the <form/> tag in your login.jsp

It will become a POST parameter though, so not exactly available on the query string, but it will be there in the request.

The above covers a static parameter. To pass a variable through login.jsp on the automatic redirect you will need to employ a filter. This has been covered on SO here: How to pass an additional parameter with spring security login page

Community
  • 1
  • 1
maksimov
  • 5,792
  • 1
  • 30
  • 38
  • Not going to work. The "pref" var never makes it to the login.jsp page. The browser does a redirect, which completely wipes out the "pref" parameter. – Sean Charles Jun 21 '12 at 15:53
  • Huh? Surely if you hardcoded it there as a hidden field, it will always be there. Am I missing something? – maksimov Jun 21 '12 at 15:56
  • The important bit is "pref" getting from form to the servlet, right? – maksimov Jun 21 '12 at 15:58
  • My fault, I should have made it clear that the "pref" url variable is dynamic and could be different with every request. – Sean Charles Jun 21 '12 at 16:10
  • yes the important part is to get the "pref" var to the servlet. – Sean Charles Jun 21 '12 at 16:11
  • I see your problem now. This can be achieved through a filter. A method is explained in detail [here](http://www.coderanch.com/t/490520/Spring/Spring-security-pass-additional-parameter) and [here on SO](http://stackoverflow.com/questions/10074308/how-to-pass-an-additional-parameter-with-spring-security-login-page). – maksimov Jun 21 '12 at 16:15
0

i am not sure that this is possible to be done the way you want. What i would do which is a little bit of hacki aproach is the following:

Set up a servlet that will accept the initial request. This servlet will store the parameter passed (pref) in a session variable. Then this servlet will do a redirect to the protected resource. And automaticaly the application server will direct the user to the login page. Once there you have the pref parameter in your session and you can use it anyway you want.

I hope this helps

MaVRoSCy
  • 17,747
  • 15
  • 82
  • 125
  • your solution is exactly the path I started down, along with a "hacki" JavaScript solution, of which I like neither. I am using a WebSphere app server, and apparently there is a cookie created by WAS for this exact flow: WASReqURL. However, I cannot find how to enable it just yet. If I find more info, I'll post it here for future reference. – Sean Charles Jun 21 '12 at 21:36