Username in url but following context path with '/'? - url

I am developing an Online Recruitment System in Java EE using Servlets and I want to give each user his own unique url by adding username to context path using '/'.
Simply put I want to rewrite my url from /main to /main/username so when people login they can see their username in address bar(just like at stackoverflow or facebook).
Eg. Currently I am redirecting to "/main?username="+username (works fine) using Jquery Ajax but I want to redirect to /main/username.
I tried encodeURL method but '/' makes search for into subdirectory. If anybody think it should work, please give me the syntax.
I have done url mapping in web.xml.(Eg. signin.jsp is mapped to signin uri)

If I understand your question, you want to have a Java EE site like myrecruitingsite.com where you can redirect a user to myrecruitingsite.com/main/<username>. When a request is made to myrecruitingsite.com/main/arg21, or myrecruitingsite.com/main/geoffreywiseman, you'd want the request to go to the same servlet, and you'd like to know which username was requested.
Java servlet mappings don't directly support complex routing patterns in the way that many modern web frameworks do. You can't configure the web.xml to send a request from myrecruitingsite.com/main/<username> to the user profile servlet and myrecruitingsite.com/main/<username>/contact to the contact servlet. You can do wildcard mappings, but all the routing decisions after that you'll have to do outside of the web.xml.
Alternately, you can do URL rewriting (typically with servlet filters) such that the URL requested by the browser is not the final one interpreted by the servlet mapping layer. There are frameworks for this, or you can do it yourself.
Basically, you need to configure the servlet mapping's url pattern with a wildcard, and then query getPathInfo() to find out what the rest of the wildcard was. That alone is pretty simple.
If you're using any one of a wide array of Java web frameworks, there will be facilities for routing and quite possibly a front controller servlet that does what you need already. In that scenario, you'll need to look at the framework's documentation for more information.
On the other hand, if you're doing it yourself using servlets (or even servlets + jsp), you can either just do a wildcard mapping to a single servlet that will grow larger and larger as you add more features to it, or more likely, you'll need to develop your own micro-framework where the servlet acts as a Front Controller servlet and does the routing work and delegates all the subsequent work to plain old java objects (POJOs).
By way of example, your routing servlet could maintain a mapping between url patterns (perhaps specified in java regular expressions) to objects of your own creation that either mimic the servlet interface or another interface of your own creation. That way, you have a servlet that's responsible for the routing decisions bound in the web.xml, and a network of little classes that are responsible for the specifics of a particular request. It's work, but it's not terrifically difficult.

Usually this is achieved using url rewrites on the server. For IIS that means creating a web.config or in apache creating a .htaccess file. You'll need to find the equivalent for your server and it can then be made to parse the directory structure type /username/ into a HTTP GET variable for your application.

Related

Can interceptors be executed between authentication and action execution?

Moving from container-managed authentication to the Spring Security plugin in a Grails 3.1.9 app. In the container-managed world, our Grails interceptors executed AFTER authentication for a secured resource. However, with Spring Security, the interceptors (with before() logic) execute with the following sequence:
Call to a secured resource
Interceptor stack intercepts the request, returns true
Redirected to form login page
Successful authentication
Redirection to the requested resource
We have interceptors that should only fire for authenticated users. Is there a way to have interceptors executed between step 4 & 5 instead of this flow? Or is this where our interceptor logic needs to move into Spring Security filters?
It's a little more clear if you look at the flow in a 2.x app since there's a web.xml file where it's more clear what order several of the parts run in, but it's basically the same in 2.x and 3.x.
The plugin's filter chain is registered as one filter and it's configured to run after the grailsWebRequest filter but before the GrailsDispatcherServlet. This is to support annotated controllers that may have URL mappings that are different from the default (e.g. PersonController.show() may map to /person/show but the app could have mapped it to any valid uri (and combination of REST verb(s)), so I need to be able to search the compiled URL mapping instances to figure out what controller action will run for the current request. In the filter, I know what URL is being requested, but not what security rule(s) to apply; if everything was url-based it would be simple and precompiled at startup, but with annotated controllers, I only know what rules apply to controller methods.
The servlet runs after the filters, and that's where the controller is determined and invoked. Interceptors (and Grails filters (not to be confused with servlet Filters) in 2.x) are actually Spring HandlerInterceptors that get composed along with a 'handler' into a HandlerExecutionChain. This is generic enough to work with any type of request but in practice the handler is a controller, so the scope is much narrower than if it were a servlet Filter.
So to get back to your actual question, your best option is to do the work in a filter that's added to the Spring Security filter chain. These are pretty simple to implement and the process is described in the plugin docs.

When to use routes vs. rewrite rules?

I'm trying to debug a problem with routing and I've just realized that MVC routes do something extremely similar to url rewriting but I don't have a good understanding of which situations call for routing and which call for url rewriting. Can someone please explain where these two technologies differ and for which situations each is appropriate?
Url Rewriting analyzes the requested URL and changes it to a different URL on the same server. The URL rewriting module runs early in the request-processing pipeline, modifying the requested URL before the Web server decides which handler to use to process the request.
Routing is a request-dispatching mechanism that occurs after Url Rewriting. When a request is made to a Web server ASP.NET routing looks up the requested URL path in the list of registered routes. If the route is found, the corresponding handler for that route is invoked to process that request.
Use routes when you are developing a new application or maintaining an existing one. Use Url rewriting when you want to patch a legacy application without changing it internally.
http://www.iis.net/learn/extensions/url-rewrite-module/iis-url-rewriting-and-aspnet-routing

Grails URL Mappings security concerns

I'm building a grails app, and the default URLMapping provided by grails is /$controller/$action?/$id
I'm concerned about the security aspects of this catch all mapping. On one hand, it's a pain to explicitly list our all of the mappings, but on the other hand it seems like there could be potential security issues, such as forgetting to secure certain mappings.
By explicitly specifying the mappings, we have much tighter control over the URLs. It also lets us making more user friendly URLs (e.g. maybe we could pluralize things like using having a people/john/ url instead of /erson/john.
Are there other concerns with leaving the default mappings? Is there a possibility that we could unintentionally expose the fact that a certain admin page is valid (I'll have to look more into spring security as to how to redirect to a 404 for trying to access admin pages for a non admin user)?
I think you answered yourself. Default url mapping "/$controller/$action?/$id" is easy to use but may be used as hole in the case of bad controllers security implementation.
But probably the best solution is to place security checks even at domains level, so even if for error a user can reach a not authorized controller an exception will block him to do anything with the domains.

restricting access to staticcontent, urls in grails web-app

I tried looking up any tips for restricting access to static content/partial urls on a web server for my grails web-app but getting confused about using element in web.xml, since right now I am using the grails default jetty server (doesn't use web.xml) and the images, css, js etc are all accessible without any authentication. how do I go about restricting access to
1) all static content directories - only accessible in a valid user session.
2) all intermediate url paths not displaying content in the appropriate format/incorrect content.
It should say like not available/forbidden if the user tries to access above 2 by hitting urls.
Implement your own filters (by URI) in grails-app/conf. For more details see section 6.6 Filters in grails documentation
... off the top of my head I'd try the spring-security plugin, it has options for restricting access on per url basis. Good start is here the screencast

Routing based on the request uri host

So the basic premise to this problem is that I have a single hosted webspace which came with two domain names. I am unsure how to configure routing in asp.net mvc so that the first thing I would check would be this host in the request object so that I can more user traffic to two separate parts of my website.
For example:
http://www.mywebsite1.com/products/14
http://www.mywebsite2.com/products/14
How do you route so that those two url's above end up returning two different pages based on the context of the host used in the request?
Thanks in advance!
You can also use some kind of URL rewriting in IIS7 or whatever you use, because it can access the domain name part too. For example you can create a rewrite method that injects the domain name into the url, like:
http//www.example1.org/Something/1 --> http//www.example1.org/example1/Something/1
http//www.example2.org/Something/1 --> http//www.example2.org/example2/Something/1
And because now the domain name is in the URL string, you can use the default routing engine to send this information to the controllers or do something else.
You need to implement a custom view engine that will look at the URL post controller execute and select the correct view.
Check this out for more info: Asp.Net Themes

Resources