I'm developing a web application with GlassFish 3.1 and JSF 2.0 / EJB 3.1. Some of my pages are secured. The secured URL-Parts are defined in the web.xml as URL-patterns. These pages are secured through a security-realm which redirects to a login page also defined in the web.xml as login.xhtml. On the login.xhtml my inputfields for username and password are connected to a session scoped backing bean which executes:
ExternalContext ec = getExternalContext();
HttpServletRequest request = getHttpServletRequest(ec);
request.login(username, password);
The EJB container is responsible for redirecting all incoming requests to secured areas with an invalid session to this page.
But, for example the user is bookmarking the page index.xhtml and was requesting this page. First he has to login over login.xhtml. He authenticates himself by typing his username+password and clicking the submit button.
The problem is: How to determine the target adress, in this case index.html?
The method request.getRequestURI() shows login.xhtml and not index.html. I can redirect always to index.xhtml, but what if the user has typed in xyz.xhtml? Is there any way?
Thanks
Adem
The original request information are stored in the request object with the following keys:
"javax.servlet.forward.request_uri"
"javax.servlet.forward.query_string"
Related
I have a pretty straightforward ASP .NET Core web site that uses Azure AD + OpenID for user authentication. Inside Azure I've added "https://my-site/signin-oidc" as a Redirect URI and inside my app settings I've set my CallbackPath to "/signin-oidc".
The problem is after authentication the browser always redirects to the home page.
For example the user will enter the following url into their address bar:
https://my-site/#/foo
They'll then be redirected to the azure sign-in page which has a uri like so:
https://login.microsoftonline.com/.../oauth2/v2.0/authorize?client_id=...&redirect_uri=https%3A%2F%2Fmy-site%3A64199%2Fsignin-oidc&[...]&sso_reload=true#/foo=
(Note where the '#/foo' fragment is placed)
After authentication succeeds they end up at the home page (https://my-site/).
Is there anyway for me to preserve the original URI and redirect the user to it after auth succeeds?
Try using the post_login_redirect_url query parameter for this.
If you want to automatically navigate the user to #/foo' after logging in, you can set your login redirect to ~/.../authorize?post_login_redirect_url=/#/foo.
I am using Keycloak authentication to authenticate an angular app and so far I have managed to redirect my login to Keycloak server. But when redirected instead of the login page I am getting a 500 error page with the messageĀ Invalid parameter: redirect_uri
When you created the client in Keycloak you set the required 'Valid Redirect URIs' field. Most likely the pattern you entered there doesn't match the redirect uri you are sending from your client. If you use ports numbers, they have to match too!.
If this is not the problem, check what your Keycloak server is logging and add those details here to your question.
this is occurred due to base url and valid redirect url are different. So I have added same URL on both the text box.Now its working fine.
This web application works with Shiro and JSF. I added PrimeFaces and I am having login redirect issues.
Expected Behaviour:
Navigate to url that needs authc
Redirected to login page
login redirected back to the original page
Behaviour with primfaces
Navigate to url that needs authc
Redirected to login page
after login redirected to javax.faces.resource/theme.css?ln=primefaces-aristo
I login a user by catching the request params in my shiro.ini file
# name of request parameter with username; if not present filter assumes 'username'
authc.usernameParam = login:username
# name of request parameter with password; if not present filter assumes 'password'
authc.passwordParam = login:password
# does the user wish to be remembered?; if not present filter assumes 'rememberMe'
authc.rememberMeParam = login:remembered
I modified this to to instead use a PassThruAuthenticationFilter and the login request is processed by my Bean but this still produces the same error. Bean login method
AuthenticationToken token = new UsernamePasswordToken(username, password);
Subject currentUser = SecurityUtils.getSubject();
currentUser.login(token);
ServletRequest request = (ServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest();
ServletResponse response = (ServletResponse) FacesContext.getCurrentInstance().getExternalContext().getResponse();
WebUtils.redirectToSavedRequest(request, response, "index.xhtml");
My login Bean is #RequestScoped
The root cause of this problem was having all my views in the same directory. I had configured shiro to require authentication for everything in the root directory /*
The reason the login page was displayed is because it is a 'special' case, it is defined as the login page in the shiro config. After loading this page the browser made additional requests for the css and js files which is why there was no theme on this page.
Given the behaviour of WebUtils.redirectToSavedRequest(request, response, "index.xhtml"); it appears that shiro simply saves the last request received that isn't the login page.
I've recently decided to migrate over to using servicestack authentication. From what I can tell, to have a redirect after a successful login of an oauth provider, you add the url to the appSettings of your web.config, i.e. oauth.GoogleOpenId.RedirectUrl.
My question is, is there anyway to make this more dynamic so that if a user get's redirected to the log on page when trying to access an authorized page, say their profile page, that once they log on successfully they get routed to their profile page instead of what's configured in the web.config? Forms authentication did this by using a 'returnUrl' query parameter.
Any help would be appreciated.
The behavior of accessing a protected page, redirecting to a /login page (overridable with HtmlRedirect on AuthFeature or Authenticate attribute) and on successful login should automatically redirect to the previously attempted protected page.
To do this you want to specify the redirect url in the continue or ReturnUrl FormData POST variable or QueryString when attempting to authenticate with the /auth service.
I've set basic spring authentication. When user comes to page and enters secured URL, login form is rendered, but I want to show error 403 page (or any other page i choose).
If I understand correctly I can't use access-denied-handler because user is not authenticated at all.
How do I show any other page than login form page to non-authenticated user, when he accesses secured URL?
When you are using form-login the default AuthenticationEntryPoint redirects to the login page.
You can override this by injecting a custom entry point using the entry-point-ref attribute.
You can use the code for Http403ForbiddenEntryPoint as a guideline (or use that directly if all you want is a response code sent to the client).
Add the below tag in your security context file.
access-denied-page="<name of the page>"
add this in http tag like below:
<http auto-config="true" access-denied-page="/authenticationfailed.jsp">