How does j_security_check know the originally requested page?
843811Feb 22 2005 — edited Jul 8 2008Hi,
When a web-application uses "j_security_check" , where does it store the name of the original page requested by the user (the one to which user should be redirected after a successful login ) ?
For example, assuming the following scenario:
0) A web application contains a page "secret.html", which is a protected resource, declared to require login. Assume mode is "Form Based Login".
1) User tries to access page "secret.html"
2) User is re-directed to "login.jsp", fills in "j_username" and "j_password", and submits them to "j_security_check".
3) "j_security_check" checks the user/password. If they are valid, it creates a "LoginContext", and then redirects the user to the originally-requested page ("secret.html").
At least that's my understanding of how it works...
The question: in step 3, how does "j_security_check" know which is the originally-requested page ("secret.html") ?
I had expected it to be sotred in the session context, or at least as a request attribute/parameter.
But a simple test I conducted (on Websphere), shows it's not there... I put a Filter before "j_security_check", and printed all session/request attributes, and all parameters, but so no trace of the original page name.
Thanks very much :)