379909 FormAuthenticator Rembers only the URL of first Request before authentication

jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java

@@ -77,6 +77,7 @@ public class FormAuthenticator extends LoginAuthenticator
     private String _formLoginPage;
     private String _formLoginPath;
     private boolean _dispatch;
+    private boolean _alwaysSaveUri;
 
     public FormAuthenticator()
     {
@@ -93,6 +94,26 @@ public class FormAuthenticator extends LoginAuthenticator
         _dispatch=dispatch;
     }
     
+    /* ------------------------------------------------------------ */
+    /**
+     * If true, uris that cause a redirect to a login page will always
+     * be remembered. If false, only the first uri that leads to a login
+     * page redirect is remembered.
+     * See https://bugs.eclipse.org/bugs/show_bug.cgi?id=379909
+     * @param alwaysSave
+     */
+    public void setAlwaysSaveUri (boolean alwaysSave)
+    {
+        _alwaysSaveUri = alwaysSave;
+    }
+    
+    
+    /* ------------------------------------------------------------ */
+    public boolean getAlwaysSaveUri ()
+    {
+        return _alwaysSaveUri;
+    }
+    
     /* ------------------------------------------------------------ */
     /**
      * @see org.eclipse.jetty.security.authentication.LoginAuthenticator#setConfiguration(org.eclipse.jetty.security.Authenticator.AuthConfiguration)
@@ -279,9 +300,9 @@ public class FormAuthenticator extends LoginAuthenticator
             // remember the current URI
             synchronized (session)
             {
-                // But only if it is not set already
-                if (session.getAttribute(__J_URI)==null)
-                {
+                // But only if it is not set already, or we save every uri that leads to a login form redirect
+                if (session.getAttribute(__J_URI)==null || _alwaysSaveUri)
+                {  
                     StringBuffer buf = request.getRequestURL();
                     if (request.getQueryString() != null)
                         buf.append("?").append(request.getQueryString());

test-jetty-webapp/src/main/config/contexts/test.xml

@@ -61,6 +61,11 @@ detected.
             -->
       </New>
     </Set>
+    <Set name="authenticator">
+      <New class="org.eclipse.jetty.security.authentication.FormAuthenticator">
+        <Set name="alwaysSaveUri">true</Set>
+      </New>
+    </Set>
     <Set name="checkWelcomeFiles">true</Set>
   </Get>
   

test-jetty-webapp/src/main/webapp/WEB-INF/web.xml

@@ -266,6 +266,16 @@
     <location>/error404.html</location>
   </error-page>
 
+  <security-constraint>
+    <web-resource-collection>
+      <web-resource-name>Auth2</web-resource-name>
+      <url-pattern>/auth2/*</url-pattern>
+    </web-resource-collection>
+    <auth-constraint>
+      <role-name>*</role-name>
+    </auth-constraint>
+  </security-constraint>
+
   <security-constraint>
     <web-resource-collection>
       <web-resource-name>Any User</web-resource-name>

test-jetty-webapp/src/main/webapp/auth.html

@@ -12,6 +12,7 @@ This page contains several links to test the authentication constraints:
 <ul>
 <li><a href="auth/file.txt">auth/file.txt</a> - Forbidden</li>
 <li><a href="auth/relax.txt">auth/relax.txt</a> - Allowed</li>
+<li><a href="auth2">auth2/index.html</a> - Authenticated (tests FormAuthenticator.setAlwaysSaveUri()) </li>
 <li><a href="dump/auth/noaccess/info">dump/auth/noaccess/*</a> - Forbidden</li>
 <li><a href="dump/auth/relax/info">dump/auth/relax/*</a> - Allowed</li>
 <li><a href="dump/auth/info">dump/auth/*</a> - Authenticated any user</li>

test-jetty-webapp/src/main/webapp/auth2/index.html

@@ -0,0 +1,6 @@
+<html>
+  <body>
+    <h1>YAY!</h1>
+    <p>You have successfully authenticated. You can use this url in conjunction with any of the other urls that lead to a login form to test which urls are saved on entry to the login form.</p>
+  </body>
+</html>