3

Is there a way in spring security 3 to redirect the user to a different page rather than the user account page if cookies are disabled on the browser?

Just like gmail does. As it redirects the user to a different page than the user account page and force user to enable cookies.

What I want is to force the user to enable cookies before he lands on his account page.

Thanks.

skip
  • 12,193
  • 32
  • 113
  • 153
  • here is some info http://stackoverflow.com/a/2065773/706695 – HRgiger Feb 05 '12 at 15:12
  • @HRgiger I don't want to rewrite url to handle users' conversation with server when cookies are disabled. I would like `/redirected_page_asking_user_to_enable_cookies_page` to be used at the place of `/j_spring_security_check` when the user submits the login form so that I could show him a page that tells him about enabling cookies and how to do that. – skip Feb 05 '12 at 15:21
  • ok I am going to add an answer with example – HRgiger Feb 05 '12 at 16:48

1 Answers1

1

To handle cookies you can use a handler servlet for viewing cookie details. To do this you need to prepare your login form manually and if condition matches with your requirements than forward to /j_spring_security_check. I have just used simple validation on embedded cookie in the request. In the below example servlet, I have checked if request contains any cookie if not I have forwarded page to cookieDisabled.jsp

package com.udb.servlets;

import java.io.IOException;

import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.logging.Log;

/**
 * Servlet implementation class cookieHandler
 */
public class cookieHandler extends HttpServlet
{
    private static final long serialVersionUID = 1L;
    private static final String cookieDisabled = "/cookieDisabled.jsp";
    private static final String cookieEnabled = "/j_spring_security_check";
    RequestDispatcher dispatcher = null;

    /**
     * @see HttpServlet#HttpServlet()
     */
    public cookieHandler() {
        super();
        // TODO Auto-generated constructor stub
    }

    /**
     * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse
     *      response)
     */
    public void doPost(HttpServletRequest request, HttpServletResponse response)
    {

        if (request.getCookies() == null) {
            System.out.println("cookie disabled!");
            dispatcher = getServletContext().getRequestDispatcher(
                    cookieDisabled);
            try {
                dispatcher.forward(request, response);
            } catch (ServletException e) {
                e.printStackTrace();
            } catch (IOException e) {
                e.printStackTrace();
            }
        } else {

                dispatcher = getServletContext().getRequestDispatcher(
                        cookieEnabled);
                System.out.println("Cookies active!");
                try {
                    dispatcher.forward(request, response);
                } catch (ServletException e) {
                    e.printStackTrace();
                } catch (IOException e) {
                    e.printStackTrace();
                }


        }
    }

    public void doGet(HttpServletRequest req, HttpServletResponse res)
    {
        doPost(req, res);
    }

}

web-xml for handler:

<servlet>
        <description>   </description>
        <display-name>cookieHandler</display-name>
        <servlet-name>cookieHandler</servlet-name>
        <servlet-class>com.udb.servlets</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>cookieHandler</servlet-name>
        <url-pattern>/cookieHandler</url-pattern>
    </servlet-mapping>

if you have secured all urls then you need to add below tag into security.xml as below:

<security:intercept-url pattern="/cookieDisabled*"
            filters="none" />

And in your login form you need to post request to cookieHandler instead of j_spring_security_check:

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
<title>Login Page</title>
<style>
.errorblock {
    color: #ff0000;
    background-color: #ffEEEE;
    border: 3px solid #ff0000;
    padding: 8px;
    margin: 16px;
}
</style>
</head>
<body onload='document.f.j_username.focus();'>
    <h3>Login with Username and Password (Custom Page)</h3>

    <c:if test="${not empty error}">
        <div class="errorblock">
            Your login attempt was not successful, try again.<br /> Caused :
            ${sessionScope["SPRING_SECURITY_LAST_EXCEPTION"].message}
        </div>
    </c:if>

    <form name='f' action="<c:url value='cookieHandler' />"
        method='POST'>

        <table>
            <tr>
                <td>User:</td>
                <td><input type='text' name='j_username' value=''>
                </td>
            </tr>
            <tr>
                <td>Password:</td>
                <td><input type='password' name='j_password' />
                </td>
            </tr>
            <tr>
                <td colspan='2'><input name="submit" type="submit"
                    value="submit" />
                </td>
            </tr>
            <tr>
                <td colspan='2'><input name="reset" type="reset" />
                </td>
            </tr>
        </table>

    </form>
</body>
</html>

Process quite similar with JSF (if you are using) as you handle login via servlet dispatcher.

HRgiger
  • 2,750
  • 26
  • 37
  • Many thanks for the descriptive answer. But unfortunately its giving me a `Did not find handler method for [/j_spring_security_check]`. What am I missing? – skip Feb 06 '12 at 01:21
  • Modifying the `` from ` springSecurityFilterChain /* ` to ` springSecurityFilterChain /* FORWARD REQUEST ` in `web.xml` made it work. Thanks. – skip Feb 06 '12 at 01:52