I am using spring security for user authentication, But here i want to get the previous browser url on userDetailService or loginFailure or loginSuccess.
For that i am trying to get the url from the request object but i got /j_Spring_security_check instead of browser url like:- /service/user/login or /service/customer/login because i have these two different url for login for different user or customer. please suggest any solution
Thanks in Advance
String referrer = request.getHeader("referer");
Note: the HTTP referer is a client-controlled value and can thus be spoofed to something entirely different or even removed. This value should not be used for any critical operation. But why you needs this?
Related
Ok, so I have simple website which force user to start from last finished step. Whenever user refresh page he needs to call at application initialization to:
REST /user/{id}/step
This endpoint will tell where user finished. The problem is I am using http only cookie. So I cannot get this {ID} from cookie in javascript.
At the moment I have added additional cookie(NOT http only) named clientId. So application can get his id from cookie, and call to this particular endpoint.
It is working but I feel that it is kinda not best approach. It has few side effects like taking care of clearing this stupid cookie on logout, etc situations.
What is best practice ? I've been thinking about creating additional endpoint which will be used on every application initialization
REST /user/status
// I want to be restfull, so I dont want REST user/logged/step
which will return setCookie clientId="" or setCookie clientId={ID} whenever user is logged or not, in this case I even don't need to care about clearing cookies on frontend side, any ideas?
The problem is I am using http only cookie.
So this http only cookie contains what? I presume a user's session? Then why do you need to specify this user ID in the URL if you should be able to get the ID from the session token?
I believe you should just have the following endpoint REST /user/step which returns the step number for a current user (defined by the session token in the http only cookie) or it returns 401 code (Unauthorised) if the user is not logged in..
I have a URL shortner that should sendRedirect(URL) to URLs specified by users.
Sometimes URL contain curly braces like this: http://example.com?someparam={something}.
Instead of sending response 302 to client browser, my Spring MVC app at Tomcat server gives error 404 with no text.
Apparently it's some sort of URL variable evaluation taking place, can I disable it? I could not find docs regarding this feature.
I know this is an old question but I think the OP was looking for a way to prevent Spring from doing variable replacement in redirect URL
I faced the exact same issue and the fix was using RedirectView
and in RedirectView you can set setExpandUriTemplateVariables(false)
that made it redirect to the url given exactly without Spring trying to replace anything in it
here is how the code looks like
RedirectView redirect = new RedirectView(redirectUrl);
redirect.setExpandUriTemplateVariables(false);
return new ModelAndView(redirect);
Hope that helps
This is not valid Google search URL http://google.com/{something}. It should have been https://www.google.ca/search?q=http{302}
Emphasis is on search?q. After domain name you have specify your service name and then query string if you want to pass some inputs.
When you do http://google.com/{something} then you really do not have any resource or service as {something} so 404 is the expected output.
HTTP 302 is for redirection, I am not sure why you were expecting redirection.
URL encoding will also not help because issue is related to resource/service, if it is not present then you will get 404. URL encoding is not meant to solve problem related to 404.
I need to populate some request with data and redirect back. Is there Spring RedirectAttributes analog for Java EE? I have searched and found 2 solutions, but they also have limitation:
Response.sendRedirect()
In this case I will lost all destroys request attributes. I can use Session attributes but in this case I need some mechanism that can determine when redirect comes in or when there is no redirect and data must be removed.
getRequestDispatcher(String path).forward(request,response)
The problem with path - I need to send redirect to URL not to give something jsp or Servlet by name. Is there any way to "convert" redirect URL to path? For example how I can go forward to
"http://localhost:8080/WebAppname/"?
You can use the sendRedirect and pass the parameters as part of the query string. So what you would be redirecting can be something like below
http://localhost:8080/WebAppname/myRedirect.action?param1=value1¶m2=value2
I'm posting some strings in my Session with the call
request.getSession().setAttribute(key, value);
And making the redirect with
response.sendRedirect(urlRedirect);
In almost all cases the values is there after the redirect.
But sometimes I can only read this value in the next page view, not in the redirect. There is no common behavior.
Someone has faced the same problem?
Sessions are backed by a HTTP cookie. On first-time session creation, a cookie will be set in the response header. By default, cookies are bound to a specific context only.
So, if you redirect while the cookie hasn't been set yet, the session will get lost. To go around this, you need to encode the redirect URL.
response.sendRedirect(response.encodeRedirectURL(url));
This appends the jsessionid identifier to the URL which allows the servletcontainer to locate the right session without help of a cookie.
If you don't like the jsessionid thing, then consider implementing a filter like this which ensures that the client is aware of the session cookie before the request enters your controller wherein you fire the redirect.
Also, if you redirect to a different context, it won't be able to access the same session. To go around this, you need to configure the servletcontainer to share the session among the contexts. In for example Tomcat, check the emptySessionPath attribute of the <Connector> element in /conf/server.xml.
Such a behaviour can be caused by caching.
If the page you are redirecting to is retrieved from the browser cache, you obviously can't see the result of setAttribute() on it. So make sure it's actually requested by the browser.
Are you sure you need to do redirect through browser (response.sendRedirect()) and not on the server side (RequestDispatcher.forward())? Latter is faster as there are no network round trip.
The problem was solve by changing the way of submit.
The page was submitting the data only changing the value of location.href to the Servlet Action.
We only call the submit function from the page form, and the session attributes works fine!
I wants to know that How can i Manage Session if the client browser has disabled cookie feature..
If I wants to implement it in simple JSP - Servlet, then how can I do that ?
Thanks in advance...
Without cookies, you have two options. The first is passing a sessionId through Urls. This requires a lot of work on the server because every url you send back must have a sessionId appended to it (usually in the form of a query string parameter). For example:
/path/to/page
becomes
/path/to/page?sessionid=ASDFG-ASDFG-ASDFG-ASDFG-ASDFG
The other option you have would be to combine what information you have via http into a "unique" key and create your own session bucket. By combining the Http UserAgent, RemoteIp and RemoteXfip you can get close to uniquely identifying a user, but there is no guarantees that this key is 100% unique.
In the JSP side, you can use JSTL's <c:url> for this.
link
Easy as that. It will automagically append the jsessionid when cookies are disabled.
In the Servlet side you need HttpServletResponse#encodeURL() or -usually the preferred one inside Servlets- HttpServletResponse#encodeRedirectURL() for this.
response.sendRedirect(response.encodeRedirectURL("page.jsp"));
url rewriting
http://www.developertutorials.com/tutorials/java/implement-session-tracking-050611/page5.html
Each URL must be encoded using response.encodeURL("page.jsp")
This will add the Session ID onto the end of each URL so cookies do not have to be enabled.
Note that you will have to do this manually for every single URL in order for it to work.
See this link for more info.