views:

74

answers:

1

I use application managed security for an Intranet web application.

I have the next filter in my web.xml file:

<filter>
  <filter-name>employeeAccessFilter</filter-name>
  <filter-class>security.AuthorizationFilter</filter-class>
  <init-param>
      <param-name>roles</param-name>
      <param-value>employee</param-value>
  </init-param>
  <init-param>
      <param-name>onError</param-name>
      <param-value>../index.jsp</param-value>
   </init-param>
</filter>
<filter-mapping>
   <filter-name>employeeAccessFilter</filter-name>
   <url-pattern>/corporate/*</url-pattern>
</filter-mapping>

index.html contains a login box. When a user logs in they go to the dashboard of the intranet. Filter works good.

Take a look to the next situation:

  • Someone gets an email with an intranet page, such as: http://appname.com/corporate/page.do?id=6
  • He clicks the link, his default browser has a cookie stored, he is automatically logged, and the page is displayed properly.

But:

  • Someone gets an email with an intranet page link such as: http://appname.com/corporate/page.do?id=6
  • He clicks the link, his default browser does not have an app cookie so he is not automatically logged. He is redirected to the login screen. He logs in but he goes to the dashboard instead of the page mentioned in the link.

Is there an easy way to solve this?

I have basically two ideas:

B) - Use Basic - container managed security which will solve the issue.

A) - Implement within the authentication filter a mechanisms which stores the rejected url as request attribute. - Put the rejected url as a hidden field of the login box. - Change the login logic to use the field url instead of always dashboard.

Both of them seem like a bit of work? Anyone has a better idea?

+1  A: 

Most sites requiring logins seem to do it using method A. For example, on Stack Overflow, if you access a page requiring login, you get redirected to /users/login?returnurl=..., which causes a returnurl field to be emitted as a hidden field in the login form.

Chris Jester-Young