I should note up front that container managed authentication is a horribly broken and misdesigned part of J2EE. This has been known by the servlet EG for ages, and they've done nothing about it. There's many, many problems - the fact that it doesn't work with PPR or AJAX is just the latest.
Anyway, that rant aside: On 6/28/06, Cosma Colanicchia <[EMAIL PROTECTED]> wrote:
Hi Adam, I'm doing nothing, the container is :) OC4J seems to perform a forward to display the configured login page. I don't think there's a way to redirect. BTW, why do you think that a redirect should work?
A redirect - if it happened via a call to ServletResponse.sendRedirect() - would get caught by PPR and result in special PPR. I'm trying to understand how PPR works, and I see that it basically
set the form target to an hidden IFRAME and add some particular parameters to the request.. on server-side the response then includes the new rendered html and some script to update the DOM of the outer page.. is this right? If so, how could *redirect* vs *forward* affect this behaviour?
See above. :) I want try to code something in the login.jsp to *see* if I'm in a
PPR, this way I could return a fake response that immediately resubmit to the login page itself, but specifing a different target than the hidden iframe and disabling PPR. Some problems here::::::::::
1) I see that the request parameter "partial" is set to true on PPR
requests, I want to use that value as a trigger for this logic, but OC4J cleans out the request and put all request information in some session attributes. I don't want to code its specific session attribute names into my page, possibly breaking other app server support. 2) Which target should I use? I can't open a popup because it would break the stuff after the login. I'd like to find the same target in which the parent page (the one that contains the IFRAME) is loaded.. I'm not sure if this can be done with javascript in a standard manner, maybe someone can help me on this? 3) Can I safely disable PPR simply removing some request parameters? I want to render a normal page, complete and without the special javascript method, because I'm now going to replace the page content itself and not the IFRAME. What do you think about this approach? I think it's a mess :) there must be someway to workaround this problem!
I've got another idea: in the Javascript for handling the PPR response, if we searched to see if the content was for a container-managed authentication page - perhaps by searching for "j_security_check"? If we detect that it is, force a reload of the entire page. Not perfect, but I think it would avoid the worst of it. -- Adam
