Les,
I found my answer - each of the various filters saves the URL that the
user's trying to reach by calling Webutils.saveRequest(). After a user
has successfully logged in, I can get it by calling
WebUtils.getAndClearSavedRequest().
It seems to me that redirecting the user to his requested page should be
the "default behavior" - most applications work that way, and when it
doesn't it drives us users nuts.
So if FormAuthenticationFilter could call login() AND then redirect,
that would be nice. Alternatively, add a new filter class that does
that. Or at least change the sample webapp to work this way by...
1) having this in web.xml:
# Form-based Authentication filter:
myauthc = org.apache.shiro.web.filter.authc.FormAuthenticationFilter
myauthc.loginUrl = /login.jsp
myauthc.usernameParam = username
myauthc.passwordParam = password
myauthc.rememberMeParam = rememberMe
myauthc.successUrl = /login.jsp
myauthc.failureKeyAttribute =
FormAuthenticationFilter.DEFAULT_ERROR_KEY_ATTRIBUTE_NAME
...
/account/** = myauthc
2) Putting notes in the login.jsp saying that the FORM action needs to
invoke a servlet.
3) Providing a servlet:
public class LoginServlet extends HttpServlet {
public synchronized void doPost(HttpServletRequest request,
HttpServletResponse response)
throws IOException, ServletException {
Subject subject = SecurityUtils.getSubject();
String username = request.getParameter("username");
String password = request.getParameter("password");
UsernamePasswordToken token = new
UsernamePasswordToken(username, password);
try {
subject.login(token);
System.err.println("login succeeded: username=" + username +
" password=" + password);
} catch (UnknownAccountException ex) {
System.err.println("Invalid username:" + username);
// TODO: show error to user
return;
} catch (IncorrectCredentialsException ex) {
System.err.println("Incorrect password for username:" +
username);
// TODO: show error to user
return;
}
SavedRequest savedRequest =
WebUtils.getAndClearSavedRequest(request);
response.sendRedirect(savedRequest.getRequestUrl());
}
}
Andy
-----Original Message-----
From: Andy Tripp [mailto:[email protected]]
Sent: Tuesday, July 28, 2009 9:58 AM
To: [email protected]
Subject: sending user to page after login
Les,
OK, I'm using PassThruAuthenticationFilter now. But I still don't know
how to store the URL that the user is tring to get to so that I can send
him there after successful login. I have this in my ShiroFilter config:
/account/** = myauthc
...and how that's being handled is a mystery to me.
Andy
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Les Hazlewood
Sent: Monday, July 27, 2009 5:38 PM
To: [email protected]
Subject: Re:
Hi Andy,
Yep, you can do this, but you'll need to use the
PassThruAuthenticationFilter instead to 'pass thru' the request to
your login controller directly. The 'authc' filter defaults to an
instance of the
org.apache.shiro.web.filter.authc.FormAuthenticationFilter class and
is used only if you want Shiro to be the 'controller' for form
submissions. This works fine in many apps, but for more customized
processing, you'll definitely want to use the
PassThruAuthenticationFilter instead.
You have two ways to do this. In your ShiroFilter's .ini config, you
can 1) reassign the 'authc' filter to be what you want:
[filters]
...
authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
or you can 2) just create a new filter and reference that everywhere
instead of 'authc':
myAuthc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
[urls]
/some/path = myAuthc
etc.
I tend to prefer the first to avoid the confusion that there might be
more than one authentication filter, but it is entirely up to you.
Cheers,
Les
On Mon, Jul 27, 2009 at 4:00 PM, Andy Tripp<[email protected]>
wrote:
> Hi,
> I have a question about filters.
> In the javadoc for the ShiroFilter class, it shows how to redirect all
> requests to urls under "/account" to the built-in "authc" filter. I've
> got that working in the "webapp" example, and I've changed the
login.jsp
> to invoke my servlet that does the authentication.
>
> But now, of couse, I want to pass the user on to the page he was
trying
> to get to (e.g. /account/index.jsp). Is there a way to do that?
Perhaps
> a way in the filter configuration text that says "redirect all
> /account/** requests to login.jsp, and set the hidden form field
called
> 'nextPage' to the specific URL that the user's trying to get to" or
> something like that?
>
> Thanks,
> Andy
>
