Hi Andy, The existing FormAuthenticationFilter does indeed already perform this logic of redirect immediately after successful login in its onLoginSuccess method implementation.
Cheers, Les On Tue, Jul 28, 2009 at 11:13 AM, Andy Tripp<[email protected]> wrote: > Les, > > I found my answer - each of the various filters saves the URL that the > user's trying to reach by calling Webutils.saveRequest(). After a user > has successfully logged in, I can get it by calling > WebUtils.getAndClearSavedRequest(). > > It seems to me that redirecting the user to his requested page should be > the "default behavior" - most applications work that way, and when it > doesn't it drives us users nuts. > > So if FormAuthenticationFilter could call login() AND then redirect, > that would be nice. Alternatively, add a new filter class that does > that. Or at least change the sample webapp to work this way by... > 1) having this in web.xml: > > # Form-based Authentication filter: > myauthc = org.apache.shiro.web.filter.authc.FormAuthenticationFilter > myauthc.loginUrl = /login.jsp > myauthc.usernameParam = username > myauthc.passwordParam = password > myauthc.rememberMeParam = rememberMe > myauthc.successUrl = /login.jsp > myauthc.failureKeyAttribute = > FormAuthenticationFilter.DEFAULT_ERROR_KEY_ATTRIBUTE_NAME > ... > /account/** = myauthc > > 2) Putting notes in the login.jsp saying that the FORM action needs to > invoke a servlet. > > 3) Providing a servlet: > public class LoginServlet extends HttpServlet { > public synchronized void doPost(HttpServletRequest request, > HttpServletResponse response) > throws IOException, ServletException { > Subject subject = SecurityUtils.getSubject(); > > String username = request.getParameter("username"); > String password = request.getParameter("password"); > > UsernamePasswordToken token = new > UsernamePasswordToken(username, password); > > try { > subject.login(token); > System.err.println("login succeeded: username=" + username + > " password=" + password); > } catch (UnknownAccountException ex) { > System.err.println("Invalid username:" + username); > // TODO: show error to user > return; > } catch (IncorrectCredentialsException ex) { > System.err.println("Incorrect password for username:" + > username); > // TODO: show error to user > return; > } > SavedRequest savedRequest = > WebUtils.getAndClearSavedRequest(request); > response.sendRedirect(savedRequest.getRequestUrl()); > } > } > > > > Andy > > > -----Original Message----- > From: Andy Tripp [mailto:[email protected]] > Sent: Tuesday, July 28, 2009 9:58 AM > To: [email protected] > Subject: sending user to page after login > > Les, > OK, I'm using PassThruAuthenticationFilter now. But I still don't know > how to store the URL that the user is tring to get to so that I can send > him there after successful login. I have this in my ShiroFilter config: > /account/** = myauthc > ...and how that's being handled is a mystery to me. > > Andy > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Les Hazlewood > Sent: Monday, July 27, 2009 5:38 PM > To: [email protected] > Subject: Re: > > Hi Andy, > > Yep, you can do this, but you'll need to use the > PassThruAuthenticationFilter instead to 'pass thru' the request to > your login controller directly. The 'authc' filter defaults to an > instance of the > org.apache.shiro.web.filter.authc.FormAuthenticationFilter class and > is used only if you want Shiro to be the 'controller' for form > submissions. This works fine in many apps, but for more customized > processing, you'll definitely want to use the > PassThruAuthenticationFilter instead. > > You have two ways to do this. In your ShiroFilter's .ini config, you > can 1) reassign the 'authc' filter to be what you want: > > [filters] > ... > authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter > > or you can 2) just create a new filter and reference that everywhere > instead of 'authc': > > myAuthc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter > > [urls] > /some/path = myAuthc > etc. > > I tend to prefer the first to avoid the confusion that there might be > more than one authentication filter, but it is entirely up to you. > > Cheers, > > Les > > On Mon, Jul 27, 2009 at 4:00 PM, Andy Tripp<[email protected]> > wrote: >> Hi, >> I have a question about filters. >> In the javadoc for the ShiroFilter class, it shows how to redirect all >> requests to urls under "/account" to the built-in "authc" filter. I've >> got that working in the "webapp" example, and I've changed the > login.jsp >> to invoke my servlet that does the authentication. >> >> But now, of couse, I want to pass the user on to the page he was > trying >> to get to (e.g. /account/index.jsp). Is there a way to do that? > Perhaps >> a way in the filter configuration text that says "redirect all >> /account/** requests to login.jsp, and set the hidden form field > called >> 'nextPage' to the specific URL that the user's trying to get to" or >> something like that? >> >> Thanks, >> Andy >> >
