acegilogin.jsp through Spring controllers?

Printable View

Dec 19th, 2004, 03:19 PM
eisenb

acegilogin.jsp through Spring controllers?

Hello Again,

One of my design objectives is to hide my view technology from the user, so I am interested in routing the login through my controllers.

In my simple experiment, I placed the contents of acegilogin.jsp into my protected WEB-INF/jsp directory and provided handling through the signin.htm URI. In addition, I updated the applicationContext.xml so that it referred to this URI instead of acegilogin.jsp. I left the other configuration the same.

The result of this experiment was that I was able to get my sign in page, but every submission ended in a credentials error. I'm not completely sure why this didn't work. I was wondering if somehow the filters are not getting the opportunity to perform the security check.

If there is a way to get the desired behavior, I would appreciate it.

Thanks,
Bill
Dec 20th, 2004, 05:16 AM
Ben Alex

Did you keep the j_username and j_password and form post to j_acegi_security_check the same? Acegi Security has a filter which watches out for requests to that URI and expects those form parameters to be presented. Aside from that it doesn't have any dependencies on your form.
Dec 20th, 2004, 10:00 AM
eisenb

I think I've actually figured out what may be the problem. As represented previously, I've renamed and relocated the contents of acegilogin.jsp into signin.jsp and so it gets routed through my controller with the signin.htm URI.

I want to force HTTPS for this, so I have the forceHttps setting set to true. This works fine for when protected resources are requested. However, a user can request this same URI without HTTPS if channel security is not present. This is unwanted behavior.

So I added the /signin.htm to the channel security so that it forces HTTPS. This apparently causes a problem such that credentials cannot be found. Have I done something wrong in getting the desired behavior?

Thanks,
Bill
Dec 20th, 2004, 11:43 AM
eisenb

By the way, I am using Tomcat 5.0.28 and running everything standalone for now.

I had noticed that when I tried to integrate just the channel security filters that my session data seemed to get "lost". Its possible that the root cause of this misbehavior lies with my container. That said, I haven't managed to run across the antedote.

If this seems like a likely cause, I'd appreciate a tip on what is going on and why.

Thanks,
Bill