Jun 3rd, 2010, 11:40 AM
Wrong redirection after logged in
when I "copy & paste" a valid url on the url bar, my application requires log in. When I log in successfully, it redirects me to the correct page. But when the same url is executed from a link on excel file, after the login it redirects me to the home page (defaultTargetUrl) and not to the required page.
I guessed it was something about the login form, so I used <c:url />:
<form action="<c:url value='j_spring_security_check'/>" name="loginform"
but without success.
Any hints about possible causes?
Jun 3rd, 2010, 11:44 AM
I would debug the requests that are sent from your browser in both cases and also the creation (and maintenance) of the session. You may be losing the session in once case, in which case the originally requested URL will not be available after you authenticate.
Jun 4th, 2010, 04:17 AM
thanks for the reply,
I have attached for the remote debugging the source codes of Spring (2.5.2) and Spring-Security (2.0.5). Of course, before to get to the controller, the request goes through the "filters", and in this situation everything is forwarded to Spring-Security.
Reading this post: http://forum.springsource.org/archiv...p/t-73345.html
it seems related to the "intercept-url" tags applied as in my situation.
Could be it right? Any hints for the code to monitor and "breakpoints" to apply?
Jun 4th, 2010, 04:58 AM
I went through the thing more in details and as suggested in that post I "sniffed" the http-requests. This is basically the "sequence":
1) click on the link from the doc file (same for excel):
org.application:443 CONNECT 200 ("ms office" connected to the server)
2) application knows the resource required by url is existent and reply with the redirect url:
> application.org/somewhere replies value 302 (so it means, the resource exists) and redirects to application.org/defaultpage
3) now "office" requires for application.org/defaultpage and no more for application.org/somewhere as replied by the server in the step 2
4) server shows default page
This doesn't happen for OpenOffice
Jun 4th, 2010, 05:13 AM
Jun 7th, 2010, 03:22 AM
I would implement now a "double authentication" in a transparent way:
As far as I know when a link is executed via Microsoft-Office (Word, Excel, etc), Office starts an authentication session not sharing JSESSIONID (same as I described above). Basically 2 authoring sessions are started indipendently each other.
Is it possible with Spring-Security "merge" these 2 sessions and redirecting the Office auth to the normal session-id auth? I think I have to modify the behaviour of "intercept-url" via ChannelProcessingFilter but I'm not sure it's the right and the only thing to do. Any hints?