I have an application developed in Servlets and JSPs.
But here is my issue:
Without logging in I don't want any JSP to be rendered. When I request a particular URL(some JSP) my code should authenticate it and if fails it should be redirected to login page and once login is successful then previously requested page should be automatically redirected.
Which usually happens in most of the websites.
How do we achieve this Servlets and JSPs.
Thank you and Regards
You could pass the original request url as a parameter to your redirect url and once the redirect action is complete on the server side (after authentication), retrieve the url from the request param and redirect or forward to it.
Original request
-----------------
if(!authenticated){
response.sendRedirect("/authURL?originalURL=somepath");
}
Authentication Request
---------------------
if(authenticationSuccessful){
String originalURL = request.getParam("originalURL");
if(originalURL != null){
response.sendRedirect("/originalURL");
}
}
Another way is to set a cookie with the redirect. The cookie value can contain the original url.
Related
We are implementing the SSO via the Keycloak. When an user wants to access our resources on desiredUri, he is automatically redirected to the keycloak login page{keycloakServerHostname}/auth/realms/{realmName}/protocol/openid-connect/auth?response_type=code&login=true&scope=openid&state={uuidOfStateForCSRF}&client_id={clientName}&**redirect_uri**={**desiredUri**}.
Then a login form is presented, but when I fill in the credentials and the POST call submitting the request is issued on Keycloa, the response from Keycloak is 302 FOUND, but the Location header does not contain my desiredUri+paramsForGettingTokens, but consists of keycloakServerHostname+paramsForGettingTokens instead.
The weird thing is when I manually put i.e. google.com to redirect_uri param, it works and the location header points to google.com, but as soon as I put there localhost, some IP etc. (not resolvable by a public DNS), it stops working and starts to ignore the redirect uri.
It looks like the Keycloak is validating the redirect uri with some kind of DNS lookup and when it cannot resolve that DNS, it puts the baseUrl of Keycloak there instead.
How can I turn off this behavior?
My client settings are as simple as they can be:
Keycloak settings screenshot
Thanks for any advice.
For the very first time, when the user is NOT logged in (via CAS SSO), it's redirecting incorrectly after login. It is repeating everything after # tag. Example: /appname/#/service/7120 is being redirected to /appname/#/service/7120#/service/7120.
However, if already logged in, it works correctly.
The fragment after # tag stays in browser, and never reaches to server. In other words, the request URI seen by server does not include the fragment. So after login, you can not simply restore to original request to include the fragment in server. Typically, you will need store the original request (including fragment) in client side (browser) by using javascript (say create a cookie) before you redirect user to login page, then restore request to the original request URI (say from cookie) after login.
I am using cloudflare's "flexible ssl" as an intermediary between client and my site.
After setting this up, I went to the browser and tried accessing my site via https:
https://example.com/login
and everything works. I fill in my login info and log in successfully and am not on http://example.com . I manually enter https://example.com/* where * is many other pages and it all works fine.
Now I want to redirect all requests to use the seemingly working https. So i go to my cloudflare account on their website and create a page rule : http://example.com/* to always use https.
Now I go to example.com/login and successfully redirected to https://example.com/login, I fill in my log in information and submit the login form , the page refreshes and I am back to https://example.com/login with an empty login form.
Anyone know what the problem is or how to help troubleshoot?
I am using laravel as a framework for the site and apache as the webserver.
create a page rule : http://example.com/* to always use https
Noted. Be aware that CloudFlare does this by accepting every HTTP request on http://example.com/* and returning a 301 redirect to the equivalent HTTPS request. The browser completes the redirect by sending a GET request to the HTTPS URL.
I fill in my log in information and submit the login form
Check the login form source carefully and check what URL the login form is submitted to. My guess is that the form is submitted to http://example.com/login or something similar. CloudFlare will accept the POST request to http://example.com/login and return a 301 redirect to https://example.com/login -- which your browser will complete as a GET request and hence not sending the login data.
So your best solution is to make sure that your login form POSTs to the correct HTTPS URL not to the HTTP URL.
That's my best guess anyway.
how to help troubleshoot?
Ensure that you are using different log files to distinguish between HTTP and HTTPS requests on your server.
Some other suggestions:
Get a Let's Encrypt SSL certificate and put that on your site so that the communication between CloudFlare and your site is all SSL. https://letsencrypt.org/
Ensure that HSTS is turned on for all of your HTTPS requests so that the browser will know not to send any requests to any HTTP URLs.
Create a development server where you can test all of this working with HTTPS between the browser and the web server without CloudFlare. Once you've got it all working in HTTPS mode without CloudFlare then you can try it with CloudFlare and you should get essentially the same results. Your problem is with the HTTP -> HTTPS switch, not specifically with CloudFlare.
I have two different domains/sites, one http and one https. The http site requires login and then users are shown a non-secure page with an iframe that shows content from the https site.
I would like to seamlessly pass login credentials from the http site to the iframe'd https site. I do not want to use jquery. Is it possible to have the iframe use a POST request instead of GET? I would like to encrypt the login info from the http site and POST the encrypted bundle to the https site.
I'm working with php and apache, if it makes a difference.
I found this article on iframe/POST but wasn't sure how to get the form auto-submitted when the http page loads. Maybe that's a line of javascript? Also, while the login page on the http site has a login form, the post-login page that has the iframe on it does not (currently) have a form. Maybe I could make an invisible form to create this POST request?
Thanks!
You can use Javascript like this:
document.getElementById('someId').submit();
I am trying to implement the code from this page http://msdn.microsoft.com/en-us/windowslive/hh278354, but I am getting this error:
[WL]The 'wl_auth' cookie has multiple values. Ensure that the redirect URI specifies a cookie domain and path when setting cookies.
The code I'm calling is at this page http://www.mysite.com/Javascript.aspx and redirect URI is also pointing to this page. What is the problem, where do I need to specify cookie domain?