Grails 2.4.4
Guys, I am working on an grails application and I have a requirement where I have to render pages from same application into different host URL's
For example:
Home page url (pre-login) should be www.mydomain.com
Home page url (post-login) should be home.mydomain.com
Login page url should be login.mydomain.com
Register page url should be register.mydomain.com
and Rest pages url should be inner.mydomain.com
All the above urls are added as an alias in tomcat -> server.xml file and is pointing to same application directory.
I have created a static method which according to controller and action determines and return the host url. I am using this method from grails filter.
I then just replace the old host url with the new generated one and then issue a normal redirect url.
The problem I am facing here is, if the app is not loggedin, than all works well. But when I try to login from host url login.mydomain.com, then spring security creates session only for login.mydomain.com. Session is not created for home.mydomain.com and hence I am not redirected to post-login home.mydomain.com but instead redirected back to pre-login www.mydomain.com
So, can you someone tell me what is the correct way to achieve this. Can I change my host url without effecting my locale, cookies and session? Can Spring security authenticate multiple host at the same time?
Is there any java way to do this?
Any other suggestions?
Please let me know if more inputs are needed
Related
The Problem
When redirecting from a servlet using response.sendRedirect(redirect_url);, the JSESSIONID cookie is not passed by the browser to the destination. A new JSESSIONID is created for every redirect, and it is impossible to track the user.
Note: This problem is only occurring on my new server implementing https and a domain name; the session ID is properly tracked when I run the web app locally or on another server without SSL or a domain name. Edit: I have set up another site on my server without SSL, and the issue persists. This seems to narrow the issue down to having a reverse proxy Apache.
An Example
The Login servlet on my web app attempts to store the user information in a session attribute then redirects to the MyCards servlet. I am using a redirect so that the URL will display mydomain.com/MyCards instead of mydomain.com/Login. The MyCards servlet attemtps to access the session attribute but finds nothing, and therefore redirects back to the Login servlet. This worked perfectly before deploying the project on my new server with SSL and domain name.
My Setup
Ubuntu 20.04 on DigitalOcean droplet
Apache Web Server (apache2) ... I have enabled mod_sessions, not sure if that's relevant.
Tomcat 9
Reverse proxy in Apache VirtualHost to Tomcat (I can post my .conf file if requested)
A redirect in Apache VirtualHost from HTTP to HTTPS
JDK 11
Possible Solutions
Using a forward instead of a redirect. The session ID is not lost when using requestDispatcher.forward(request, response);. As I mentioned above, I want the URL to reflect the destination for an intuitive user experience, which does not occur when using a forward.
Implementing your own session cookie, as in this answer, and manually storing sessions with a map, as in this answer, which strongly advises against such a facility. Based on my understanding, doing so poses security threats to user data. Also, if the browser is not passing the JSESSIONID cookie, I don't understand why it would choose to pass the manually implemented cookie unless the SameSite attribute is set to None (also bad).
Verifying that the webapp's context.xml does not have cookies="false" configured. Done that.
Using encoded URLs with response.sendRedirect(response.encodeRedirectURL(url));. Again, for the sake of having a clean URL (which the user could bookmark or type in) is preferable, and encoding the session ID into the URL is not.
Using relative URLs instead of absolute URLs...
"A session is only maintained if the redirection is being sent on the same port, host and webapp [and protocol?]. If redirection is done within the same application, using relative paths is the best practice." I tried both redirect_url = "/MyCards" and redirect_url = "MyCards", no luck.
Possible Reasons
Perhaps I am unknowingly switching between HTTP and HTTPS, which is a change in protocol and will not preserve the session ID. Of course, my intention is to remain secure and stay exclusively in HTTPS. Edit: I have set up another site on my server without SSL, and the issue persists. This seems to narrow the issue down to having a reverse proxy Apache. When accessing the web app directly on Tomcat (i.e. with <server_ip>:8080/MyWebApp), the session is tracked properly on redirect. However when using mydomain.com, the session ID is lost on every redirect.
Something to do with naked domains.
Other?
Edit: Maybe the issue is occurring because of the way the client, Apache, and Tomcat interact via the reverse proxy. Does the proxy cause the domain/port to change on every request/response?
My Questions
Why exactly is the session ID lost when using a redirect to a relative URL to a servlet in the same web app on the same server? Shouldn't the redirect occur entirely on the server-side, preventing a new request/session from being created? Since the relative URLs (which I thought would preserve the session) did not solve the issue, does this indicate some problem with my server setup (e.g. unintentional switching between protocols)?
What is the best practice for maintaining the user session ID, even when the user has cookies disabled? Is there no way around URL encoding when cookies are disabled? Or should the app be implemented exclusively with forwards rather than redirects? If so, is there a workaround to changing the URL to reflect the destination?
Note: this is my first post, so I don't have the reputation to comment. I will edit the post with any needed information.
I am facing a very strange issue.
Issue is we have a web application (war)which is built using angular 4 and it also has a "Servlet filter" which scans each and every request for a token and if that token is not available servlet filter will navigate to third party login page.
If token is available , it simply loads index.html and other data.
Token and some other params will be available as session cookies to current web app.
I have accessed the app URL and logs in to app and performs some actions in app and closes the browser window without logging out and I tried to open the same URL again , Servlet filter is not getting called.
If I refresh the browser window, filter is getting called.
If I clear the browser cache Servlet filter is getting called . I have observed same behavior in chrome and firefox.
I did check localhost access log, I don't see my request there.
Can anyone have any ideas on what is the issue and how to fix this issue ?
Reason is Google Chrome is caching so request is not all going to server. But when I refresh chrome is sending the request to Server. When I disable cache , everything is working fine. A good lesson about caching.
I'm trying to make an app with Codename One, where you have to login with OAuth 2 from a specific webservice. After the login on the webpage, it should redirect to my app. But I don't know, where in Codename One I have to set the redirect URL. Are there some build hints I could use?
I tried it with the Login class and there I set the redirect URI, but it's not working.
When you register your application with an Oauth provider you will need to specify the redirection url . The oauth server will redirect once authentication is successfull.
Have a look at https://www.oauth.com/oauth2-servers/redirect-uris/
I have a website, from the site a user can login to our java application via Iframe. When a user navigates through our (Wordpress) website I want to show if the user is logged in or not in the header of my site.
So I created a Java servlet giving back a users name if logged in. Works fine if I access it via the browser. It works also fine if I put my servlet (myurl.com/getuser) into an iframe. However, it does not work using file get contents or CURL. The request session is empty / not the same as the browser session.
I tried passing some session cookies manually but that did not work out too.
Any suggestions on how to access my Java servlet via curl or file_get_contents and have the java servlet still know which browser session i`m in?
PS. for certain reasons I cannot use an Iframe.
I am stuck with a jsession id problem. I am using Tomcat 7, Spring framework 3.1.1, security with Spring Security.
Our application has a login page with an url like : defaultSubdomain.theSite.com/login.html. Some of our users have their own subdomains, so their login page url are : subdomainForUser.theSite.com/login.html.
The problem is, if one of them use the default login url :
he will be log in, an HttpSession will be created on the server and a JSESSIONID cookie will be created on defaultSubdomain.theSite.com on client, then
our server makes the browser redirect to the welcome page of user's subdomain and makes the browser recreate the JSESSIONID cookie with javascript.
In a filter:
//if client is on the wrong subdomain
HttpServletResponse.sendRedirect(url);
return;
But after that, client still needs to log in again. Is there any way to achieve what I try to do (with a coding approach and not configuring tomcat)?
I made some research and we could use
<Context sessionCookieDomain=".theSite.com" sessionCookiePath="/">
but it implies having one configuration for dev, one for test and one for prod which is not acceptable.
Thanks!