Tomcat - making the login page content different depending on how the user got there

Question

I have a web-based service implemented in Tomcat and using Tomcat container-based authentication. What I'm trying to achieve is to have the login page appear differently depending on how the user got there. Specifically:

• If the user clicks on the "login" button, I want the login page to just ask for a username and password. I've implemented the login button to simply take the user to the "logged in" page, and made that a secure page so that container login gets triggered.

• If an unauthenticated user visits a page that requires authentication, I want the login page to also say "You must login to do this" or something like that.

So the problem is to make the controller or JSP for the login form aware of what the browser was requesting when it got redirected here. I've looked at the headers and other attributes in the request object, but I couldn't see anything that would help.

Can anyone suggest a solution? Or maybe a different way to implement the "login" button that would avoid the problem?

Answer 1

You can use this to determinate the target of the original request:

<%
String value0 = (String)request.
                getAttribute("javax.servlet.forward.request_uri");
if(value0.contains("login_success.jsp")) {
    out.print("USER, LOG IN!");
} else {
    out.print("USER, you have to LOG IN to go there!");
}
%>

Other options include:

You could implement the login button to redirect to the login success page and add a ?MyKey=value to the URL, that attribute can be seen by the login page and you can react on it.

I will work over my code that plots out everything and anything I could find and make it better readable and then post it here. I'm sure that the value where the user gets next is present somewhere in your request, you just have to find out where.

Answer 2

You have a few options, 1 is the header "Referer" This field will contain the URL where the browser was at last... So you could see on the login page, was the last page my page linking them here, or somewhere else.

This will work, but it is NOT fullproof, some folks/companies will filter out referers etc, and some browsers may allow users to turn it of, so you don't get the reference to the page they were last at.

The BEST bet is to assign a cookie value when the user logs in, then if a user requests a page that requires a login, your code simply checks for the cookie value being present. If its there, the user has logged in already and you can show the page... if it isn't you send them the YOU HAVE TO LOG IN TO DO THIS page.

Answer 3

The above solutions seem backwards to me. The authentication controller shouldn't be looking at where the request came from to decide what to do... it should be told. The redirecting controllers/rules should know what they want done and should send it to the appropriate action.

The login can go directly to the login action of the servlet.

I don't know how your servlets are set up, but the servlet should be looking for authentication in cases where it is needed for some action. If it isn't authenticated, redirect to an authentication action. The login/authenticate actions will be slightly different (setting parameters or text) but can go to the same view.

Having said that, doing authentication right from scratch is a lot of work and it is usually a lot easier to just pull in other frameworks. For example: Spring Security.

Answer 4

I favor @Angelo's answer for portability, but if you're willing to tie your app to Tomcat, you can get the target destination (where the user wants to go after logging in) from the triggering request, which is saved in the session. I haven't tried this, but I think it will work:

import org.apache.catalina.authenticator.Constants
import org.apache.catalina.authenticator.SavedRequest
import org.apache.catalina.session.StandardSession

...

StandardSession standardSession = 
    (StandardSession) httpServletRequest.getSession();

// Retrieve the SavedRequest object from our session
SavedRequest saved = (SavedRequest)
        standardSession.getNote(Constants.FORM_REQUEST_NOTE);
if ((saved == null) || 
    httpServletRequest.getRequestURI().equals(saved.getRequestURI())) {
    // user came directly to login page
} else {
    // "You must login to do this"
}