Package org.uberfire.ext.security.server

Class LoginRedirectServlet

  • All Implemented Interfaces:
    Serializable, javax.servlet.Servlet, javax.servlet.ServletConfig
    public class LoginRedirectServlet
extends javax.servlet.http.HttpServlet
    A workaround for the servlet form authentication process (j_security_check), which, at least on WildFly 8.1, uses the HTTP POST method when forwarding the request after successful login. This blows up after login, giving an HTTP 405 Method Not Allowed response when the desired resource is a static one, such as a GWT host page.

    This servlet works around the issue by sending an HTTP redirect only if the request comes from an authenticated user to a URL of your choice. The end result is that your user will see the real resource's URL in their browser's location bar after login. In addition, this servlet copies all request parameters that were submitted along with the login form (except j_username and j_password) to the redirect URL.

    To set this servlet up, configure your web application as follows:

    • Declare this servlet in web.xml with init-param display-after-login set to the context-relative URI of the page you want the user to land on after a successful login. (for example, /host_page.html)
    • Map this servlet to a url-pattern that makes sense for a sign-in page, such as /login.
    • Mark this servlet's url-pattern with a security-constraint that only allows logged-in users to see it. (I know, this part is confusing! The login URL has to be a protected resource!)
    • Configure web.xml for auth-method FORM
    • Configure the form-login-page and form-error-page to any resource you like. It can even be JSP's under /WEB-INF, since the login and error pages will never display under their "own" URLs. They always display in place of the "real" resource that was being requested by an unauthorized user. In our case, that resource should always be whatever this servlet is mapped to (eg. /login).
    • (Optional) set welcome-page-uri to this servlet's uri-pattern, as an easy way to direct new visitors into this tangled web of deceit.
    See Also:
    Serialized Form

    • Constructor Detail

      • LoginRedirectServlet

        public LoginRedirectServlet()

    • Method Detail

      • init

        public void init​(javax.servlet.ServletConfig config)
          throws javax.servlet.ServletException
        Specified by:
        init in interface javax.servlet.Servlet
        Overrides:
        init in class javax.servlet.GenericServlet
        Throws:
        javax.servlet.ServletException

      • doGet

        protected void doGet​(javax.servlet.http.HttpServletRequest req,
                     javax.servlet.http.HttpServletResponse resp)
              throws javax.servlet.ServletException,
                     IOException
        Overrides:
        doGet in class javax.servlet.http.HttpServlet
        Throws:
        javax.servlet.ServletException
        IOException

      • doPost

        protected void doPost​(javax.servlet.http.HttpServletRequest req,
                      javax.servlet.http.HttpServletResponse resp)
               throws javax.servlet.ServletException,
                      IOException
        Overrides:
        doPost in class javax.servlet.http.HttpServlet
        Throws:
        javax.servlet.ServletException
        IOException