Results 1 to 5 of 5

Thread: absolute redirection in ACEGI code base problematic

  1. Sep 21st, 2005, 10:21 AM #1
    ospector
    ospector is offline Junior Member
    Join Date
    Sep 2005
    Posts
    3

    Default absolute redirection in ACEGI code base problematic

    When re-directing a non-authenticated user, class AuthenticationProcessingFilterEntryPoint builds an absolute URL.
    This leads to problems in a customer environment where our server (Weblogic, clustered) is behing a load-balancer and may NOT be accessed directly.
    Theoretically the customer can configure the load balancer to overcome this but this is percieved as requiring configuration changes in an active web-farm because of a specific app. bad karma.

    Does anyone have a clue why absolute redirection is used?
    Are there any plans to make it relative?

    I can change the code locally, but am worried that I am missing some major point.

    Thanks for any answer!
  2. Sep 23rd, 2005, 07:03 PM #2
    Ben Alex
    Ben Alex is offline Senior Member Spring Team
    Join Date
    Aug 2004
    Location
    Sydney, Australia
    Posts
    2,768

    Default

    AuthenticationProcessingFilterEntryPoint generates an absolute URL because it needs to support the scheme name (http/https) because of the AuthenticationProcessingFilterEntryPoint.forceHttp s property.

    There is no problem with writing your own implementation of AuthenticationEntryPoint that behaves differently. It will work just fine.
    Ben Alex
    Project Founder, Spring UAA, Spring Roo and Spring Security
  3. Sep 26th, 2005, 05:46 AM #3
    ospector
    ospector is offline Junior Member
    Join Date
    Sep 2005
    Posts
    3

    Default Lets take this further

    In AuthenticationProcessingFilterEntryPoint you use an absolute URL regardless of the forceHttps flag.
    I think a better implementation would be to use an absolute URL iff you change protocol during th redirect.
    I'll gladly donate my implementation on this as a fix to AuthenticationProcessingFilterEntryPoint, unless I am missing some point.
  4. Oct 10th, 2005, 05:07 PM #4
    Ben Alex
    Ben Alex is offline Senior Member Spring Team
    Join Date
    Aug 2004
    Location
    Sydney, Australia
    Posts
    2,768

    Default Re: Lets take this further

    Quote Originally Posted by ospector
    I'll gladly donate my implementation on this as a fix to AuthenticationProcessingFilterEntryPoint, unless I am missing some point.
    No problem, please feel free to submit a patch to JIRA.
    Ben Alex
    Project Founder, Spring UAA, Spring Roo and Spring Security
  5. Oct 11th, 2005, 07:27 AM #5
    ospector
    ospector is offline Junior Member
    Join Date
    Sep 2005
    Posts
    3

    Default Submitted to JIRA, including fix

    http://opensource.atlassian.com/proj.../browse/SEC-63
« Previous Thread | Next Thread »

Similar Threads

  1. Complete Code For Spring-StateLessSessionBean
    By sathya in forum EJB
    Replies: 13
    Last Post: Oct 24th, 2007, 10:55 AM
  2. org.springframework.jdbc.CannotGetJdbcConnectionException
    By tanmay in forum Data
    Replies: 4
    Last Post: Jun 20th, 2007, 11:06 AM
  3. Acegi works under JBoss, but not Websphere???
    By bh5k in forum Security
    Replies: 32
    Last Post: Jul 20th, 2006, 01:37 PM
  4. Spring code remarks
    By Alarmnummer in forum Architecture
    Replies: 18
    Last Post: Apr 7th, 2005, 07:17 AM
  5. RedirectView and ACEGI BUg??
    By tysonbrown in forum Security
    Replies: 3
    Last Post: Mar 10th, 2005, 05:16 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules