Java Servlet从一个Servlet重定向到另一个Servlet，然后再返回到初始Servlet

Question

I had a question about Java Servlets.

lets say I am on a servlet webpage, 'somePage'. I want to log in (using another servlet, 'login' servlet). So i click on the log-in link on the 'somePage' and get redirected to the 'login' page. I type in my name and password and they are both correct. the login page has successfully logged me in.

(now asking about coding for the 'login' servlet) How do I code the 'login' page so that it will redirect the successfully logged in person back to the, 'somePage' webpage?

Main Question: How does the login page know the page which initially redirected to it is the 'somePage' page?

I have checed out a lot of the request parameters, but non tell me, yes, you were directed from page, 'somePage'. These are the the paramater i have looked at:

String authType = request.getAuthType();
String pathInfo = request.getPathInfo();
String pathTranslated = request.getPathTranslated();
String getUserName = request.getRemoteUser();
String remoteAdd = request.getRemoteAddr();
String uriString = request.getRequestURI();
String sessionID = request.getRequestedSessionId();
String serverName = request.getServerName();
Integer serverPort = request.getServerPort();
String servletPath = request.getServletPath();

I know some of these are obvously not going to give me the answer I am looking for, but I figure one of the HttpServletRequest parameters has got to tell the login page who asked for it to be displayed. Any help would be greatly appreciated. I'm going to continue my search for the answer. I've tried to search for this question, but haven't found an answer.

Answer 1

Instead implementing yourself you should consider using form based authentification for your web app.

Almost every servlet container supports this.

At first you have to configure security. This depends on your application server. Ie with Jetty you can use a database approach with tables for users and their roles or LDAP, etc.

In web.xml you turn on form based authentification:

<login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
    <form-login-page>/logon.jsp</form-login-page>
    <form-error-page>/logonError.jsp</form-error-page>
  </form-login-config>
 </login-config>

You specify two JSP pages you have to provide. logon.jsp is the login page for inserting user name and password. logonError.jsp is shown, if user name and password are invalid.

The whole login workflow is handled by the application server.

If the user first goes to a protected URL, the application server presents the login page instead. As a convention the input fields for user name and passwort should be named j_username and j_password . When the user submits the login form the server checks, if the user crendentials are valid (according to its configuration). If so the user is redirected to the original page. Otherwise the login error page is shown.

If you really want to implement it yourself then you can implement a servlet filter so that all calls to protected resources have to pass your filter. In your filter you can check, if there is already a session present and if the user has successfully logged in. Then the normal call can proceed. Otherwise you can forward to your login page and store the original URL in the session. After a successfull login you can read the original URL out of your session context and redirect to the page the user wanted to see in the first place.

Answer 2

There are different ways of doing this. One way is to have your login page support a continue CGI parameter that gives the URL to which to redirect after the login is successful. Another way to do this is to use the "Referer" header that was passed to the login page, and redirect to that URL.

For the former, you can use ServletRequest.getParameterMap() to get the CGI arguments and determine if there is a CGI parameter named continue (or whatever name you choose to give to that CGI parameter); for the latter, you can use HttpServletRequest.getHeader() to get the "Referer" header.