mraible/j_security_check2.patch

## j_security_check2.patch
diff --git a/src/main/java/org/appfuse/examples/web/AjaxAuthenticationSuccessHandler.java b/src/main/java/org/appfuse/examples/web/AjaxAuthenticationSuccessHandler.java
index 2a68529..99980ed 100644
--- a/src/main/java/org/appfuse/examples/web/AjaxAuthenticationSuccessHandler.java
+++ b/src/main/java/org/appfuse/examples/web/AjaxAuthenticationSuccessHandler.java
@@ -1,16 +1,31 @@
 package org.appfuse.examples.web;

+import org.codehaus.jackson.map.ObjectMapper;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
 public class AjaxAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
     private AuthenticationSuccessHandler defaultHandler;
+    private ObjectMapper mapper = new ObjectMapper();

     public AjaxAuthenticationSuccessHandler(AuthenticationSuccessHandler defaultHandler) {
         this.defaultHandler = defaultHandler;
     }

-    void onAuthenticationSuccess(HttpServletRequest request,
-        HttpServletResponse response, Authentication auth) {
-        if ("true".eqauls(request.getHeader("X-Ajax-call")) {
-            response.getWriter().print("ok");
+    public void onAuthenticationSuccess(HttpServletRequest request,
+                                        HttpServletResponse response,
+                                        Authentication auth)
+            throws IOException, ServletException {
+
+        if ("XMLHttpRequest".equals(request.getHeader("X-Requested-With"))) {
+            response.setContentType("application/json");
+            LoginStatus status = new LoginStatus(true, auth.getName());
+            response.getWriter().print(mapper.writeValueAsString(status));
             response.getWriter().flush();
         } else {
             defaultHandler.onAuthenticationSuccess(request, response, auth);
diff --git a/src/main/java/org/appfuse/examples/web/LoginService.java b/src/main/java/org/appfuse/examples/web/LoginService.java
index 9198f6a..a9e7163 100644
--- a/src/main/java/org/appfuse/examples/web/LoginService.java
+++ b/src/main/java/org/appfuse/examples/web/LoginService.java
@@ -63,24 +63,7 @@ public class LoginService {
         }
     }

-    public class LoginStatus {

-        private final boolean loggedIn;
-        private final String username;
-
-        public LoginStatus(boolean loggedIn, String username) {
-            this.loggedIn = loggedIn;
-            this.username = username;
-        }
-
-        public boolean isLoggedIn() {
-            return loggedIn;
-        }
-
-        public String getUsername() {
-            return username;
-        }
-    }

     /*@RequestMapping(method = RequestMethod.OPTIONS)
     public void setOptionsHeaders(HttpServletResponse response) {
diff --git a/src/main/java/org/appfuse/examples/web/LoginStatus.java b/src/main/java/org/appfuse/examples/web/LoginStatus.java
index 3ea8e9a..05d7073 100644
--- a/src/main/java/org/appfuse/examples/web/LoginStatus.java
+++ b/src/main/java/org/appfuse/examples/web/LoginStatus.java
@@ -2,19 +2,19 @@ package org.appfuse.examples.web;

 public class LoginStatus {

-        private final boolean loggedIn;
-        private final String username;
+    private final boolean loggedIn;
+    private final String username;

-        public LoginStatus(boolean loggedIn, String username) {
-            this.loggedIn = loggedIn;
-            this.username = username;
-        }
+    public LoginStatus(boolean loggedIn, String username) {
+        this.loggedIn = loggedIn;
+        this.username = username;
+    }

-        public boolean isLoggedIn() {
-            return loggedIn;
-        }
+    public boolean isLoggedIn() {
+        return loggedIn;
+    }

-        public String getUsername() {
-            return username;
-        }
-    }
\ No newline at end of file
+    public String getUsername() {
+        return username;
+    }
+}
\ No newline at end of file
diff --git a/src/main/java/org/appfuse/examples/web/OptionsHeadersFilter.java b/src/main/java/org/appfuse/examples/web/OptionsHeadersFilter.java
index 3013f3b..eea9937 100644
--- a/src/main/java/org/appfuse/examples/web/OptionsHeadersFilter.java
+++ b/src/main/java/org/appfuse/examples/web/OptionsHeadersFilter.java
@@ -6,21 +6,35 @@ import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
+import java.util.Enumeration;

 public class OptionsHeadersFilter implements Filter {

     public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
             throws IOException, ServletException {
+        HttpServletRequest request = (HttpServletRequest) req;
         HttpServletResponse response = (HttpServletResponse) res;

+        if (request.getMethod().equalsIgnoreCase("OPTIONS")) {
+            addOptionsHeaders(response);
+            return;
+        } else if (request.getMethod().equalsIgnoreCase("POST")) {
+            addOptionsHeaders(response);
+        }
+
+
+        chain.doFilter(req, res);
+    }
+
+    private void addOptionsHeaders(HttpServletResponse response) {
         response.setHeader("Access-Control-Allow-Origin", "*");
         response.setHeader("Access-Control-Allow-Methods", "GET,POST");
         response.setHeader("Access-Control-Max-Age", "360");
         response.setHeader("Access-Control-Allow-Headers", "x-requested-with");
-
-        chain.doFilter(req, res);
     }

     public void init(FilterConfig filterConfig) {
diff --git a/src/main/webapp/WEB-INF/security.xml b/src/main/webapp/WEB-INF/security.xml
index 93da1c4..3b96451 100644
--- a/src/main/webapp/WEB-INF/security.xml
+++ b/src/main/webapp/WEB-INF/security.xml
@@ -13,7 +13,8 @@
         <intercept-url pattern="/app/users" access="ROLE_ADMIN" requires-channel="https"/>
         <intercept-url pattern="/app/**" access="ROLE_ADMIN,ROLE_USER" requires-channel="any"/>
         <form-login login-page="/login" authentication-failure-url="/login?error=true"
-                    login-processing-url="/j_security_check"/>
+                    login-processing-url="/j_security_check"
+                    authentication-success-handler-ref="ajaxAuthenticationHandler"/>
         <logout logout-url="/logout"/>
         <session-management session-fixation-protection="newSession" >
             <concurrency-control max-sessions="1" error-if-maximum-exceeded="false"/>
@@ -34,6 +35,13 @@
         <protect-pointcut expression="execution(* *..service.UserManager.removeUser(..))" access="ROLE_ADMIN"/>
     </global-method-security>

+    <beans:bean id="ajaxAuthenticationHandler" class="org.appfuse.examples.web.AjaxAuthenticationSuccessHandler">
+        <beans:constructor-arg ref="defaultSuccessHandler"/>
+    </beans:bean>
+
+    <beans:bean id="defaultSuccessHandler"
+                class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"/>
+
     <!-- Override userSecurityAdvice bean in appfuse-service to allow any role to update a user. -->
     <beans:bean id="userSecurityAdvice" class="org.appfuse.examples.web.UserSecurityAdvice"/>
 </beans:beans>
\ No newline at end of file
diff --git a/src/main/webapp/WEB-INF/web.xml b/src/main/webapp/WEB-INF/web.xml
index 1eeacf5..b8fed84 100644
--- a/src/main/webapp/WEB-INF/web.xml
+++ b/src/main/webapp/WEB-INF/web.xml
@@ -102,10 +102,6 @@
         <url-pattern>/*</url-pattern>
     </filter-mapping>-->
     <filter-mapping>
-        <filter-name>optionsHeaders</filter-name>
-        <url-pattern>/*</url-pattern>
-    </filter-mapping>
-    <filter-mapping>
         <filter-name>messageFilter</filter-name>
         <url-pattern>/*</url-pattern>
         <dispatcher>REQUEST</dispatcher>
@@ -120,6 +116,12 @@
         <url-pattern>/*</url-pattern>
     </filter-mapping>
     <filter-mapping>
+        <filter-name>optionsHeaders</filter-name>
+        <url-pattern>/j_security_check</url-pattern>
+        <dispatcher>REQUEST</dispatcher>
+        <dispatcher>FORWARD</dispatcher>
+    </filter-mapping>
+    <filter-mapping>
         <filter-name>securityFilter</filter-name>
         <url-pattern>/*</url-pattern>
         <dispatcher>REQUEST</dispatcher>
diff --git a/src/main/webapp/login.jsp b/src/main/webapp/login.jsp
index a7d106e..416426b 100644
--- a/src/main/webapp/login.jsp
+++ b/src/main/webapp/login.jsp
@@ -43,10 +43,14 @@

     $("#login").live('click', function(e) {
         e.preventDefault();
-        $.ajax({url: getHost() + "${ctx}/api/login.json",
+        $.ajax({url: getHost() + "${ctx}/j_security_check",
             type: "POST",
             data: $("#loginForm").serialize(),
-            success: function(data, status) {
+            beforeSend: function (xhr) {
+                xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");
+            },
+            success: function(data, status, xhr) {
+                //console.log(xhr.getResponseHeader("Set-Cookie"));
                 if (data.loggedIn) {
                     // success
                     dialog.dialog('close');
	diff --git a/src/main/java/org/appfuse/examples/web/AjaxAuthenticationSuccessHandler.java b/src/main/java/org/appfuse/examples/web/AjaxAuthenticationSuccessHandler.java
	index 2a68529..99980ed 100644
	--- a/src/main/java/org/appfuse/examples/web/AjaxAuthenticationSuccessHandler.java
	+++ b/src/main/java/org/appfuse/examples/web/AjaxAuthenticationSuccessHandler.java
	@@ -1,16 +1,31 @@
	package org.appfuse.examples.web;

	+import org.codehaus.jackson.map.ObjectMapper;
	+import org.springframework.security.core.Authentication;
	+import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
	+
	+import javax.servlet.ServletException;
	+import javax.servlet.http.HttpServletRequest;
	+import javax.servlet.http.HttpServletResponse;
	+import java.io.IOException;
	+
	public class AjaxAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
	private AuthenticationSuccessHandler defaultHandler;
	+ private ObjectMapper mapper = new ObjectMapper();

	public AjaxAuthenticationSuccessHandler(AuthenticationSuccessHandler defaultHandler) {
	this.defaultHandler = defaultHandler;
	}

	- void onAuthenticationSuccess(HttpServletRequest request,
	- HttpServletResponse response, Authentication auth) {
	- if ("true".eqauls(request.getHeader("X-Ajax-call")) {
	- response.getWriter().print("ok");
	+ public void onAuthenticationSuccess(HttpServletRequest request,
	+ HttpServletResponse response,
	+ Authentication auth)
	+ throws IOException, ServletException {
	+
	+ if ("XMLHttpRequest".equals(request.getHeader("X-Requested-With"))) {
	+ response.setContentType("application/json");
	+ LoginStatus status = new LoginStatus(true, auth.getName());
	+ response.getWriter().print(mapper.writeValueAsString(status));
	response.getWriter().flush();
	} else {
	defaultHandler.onAuthenticationSuccess(request, response, auth);
	diff --git a/src/main/java/org/appfuse/examples/web/LoginService.java b/src/main/java/org/appfuse/examples/web/LoginService.java
	index 9198f6a..a9e7163 100644
	--- a/src/main/java/org/appfuse/examples/web/LoginService.java
	+++ b/src/main/java/org/appfuse/examples/web/LoginService.java
	@@ -63,24 +63,7 @@ public class LoginService {
	}
	}

	- public class LoginStatus {

	- private final boolean loggedIn;
	- private final String username;
	-
	- public LoginStatus(boolean loggedIn, String username) {
	- this.loggedIn = loggedIn;
	- this.username = username;
	- }
	-
	- public boolean isLoggedIn() {
	- return loggedIn;
	- }
	-
	- public String getUsername() {
	- return username;
	- }
	- }

	/*@RequestMapping(method = RequestMethod.OPTIONS)
	public void setOptionsHeaders(HttpServletResponse response) {
	diff --git a/src/main/java/org/appfuse/examples/web/LoginStatus.java b/src/main/java/org/appfuse/examples/web/LoginStatus.java
	index 3ea8e9a..05d7073 100644
	--- a/src/main/java/org/appfuse/examples/web/LoginStatus.java
	+++ b/src/main/java/org/appfuse/examples/web/LoginStatus.java
	@@ -2,19 +2,19 @@ package org.appfuse.examples.web;

	public class LoginStatus {

	- private final boolean loggedIn;
	- private final String username;
	+ private final boolean loggedIn;
	+ private final String username;

	- public LoginStatus(boolean loggedIn, String username) {
	- this.loggedIn = loggedIn;
	- this.username = username;
	- }
	+ public LoginStatus(boolean loggedIn, String username) {
	+ this.loggedIn = loggedIn;
	+ this.username = username;
	+ }

	- public boolean isLoggedIn() {
	- return loggedIn;
	- }
	+ public boolean isLoggedIn() {
	+ return loggedIn;
	+ }

	- public String getUsername() {
	- return username;
	- }
	- }
	\ No newline at end of file
	+ public String getUsername() {
	+ return username;
	+ }
	+}
	\ No newline at end of file
	diff --git a/src/main/java/org/appfuse/examples/web/OptionsHeadersFilter.java b/src/main/java/org/appfuse/examples/web/OptionsHeadersFilter.java
	index 3013f3b..eea9937 100644
	--- a/src/main/java/org/appfuse/examples/web/OptionsHeadersFilter.java
	+++ b/src/main/java/org/appfuse/examples/web/OptionsHeadersFilter.java
	@@ -6,21 +6,35 @@ import javax.servlet.FilterConfig;
	import javax.servlet.ServletException;
	import javax.servlet.ServletRequest;
	import javax.servlet.ServletResponse;
	+import javax.servlet.http.Cookie;
	+import javax.servlet.http.HttpServletRequest;
	import javax.servlet.http.HttpServletResponse;
	import java.io.IOException;
	+import java.util.Enumeration;

	public class OptionsHeadersFilter implements Filter {

	public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
	throws IOException, ServletException {
	+ HttpServletRequest request = (HttpServletRequest) req;
	HttpServletResponse response = (HttpServletResponse) res;

	+ if (request.getMethod().equalsIgnoreCase("OPTIONS")) {
	+ addOptionsHeaders(response);
	+ return;
	+ } else if (request.getMethod().equalsIgnoreCase("POST")) {
	+ addOptionsHeaders(response);
	+ }
	+
	+
	+ chain.doFilter(req, res);
	+ }
	+
	+ private void addOptionsHeaders(HttpServletResponse response) {
	response.setHeader("Access-Control-Allow-Origin", "*");
	response.setHeader("Access-Control-Allow-Methods", "GET,POST");
	response.setHeader("Access-Control-Max-Age", "360");
	response.setHeader("Access-Control-Allow-Headers", "x-requested-with");
	-
	- chain.doFilter(req, res);
	}

	public void init(FilterConfig filterConfig) {
	diff --git a/src/main/webapp/WEB-INF/security.xml b/src/main/webapp/WEB-INF/security.xml
	index 93da1c4..3b96451 100644
	--- a/src/main/webapp/WEB-INF/security.xml
	+++ b/src/main/webapp/WEB-INF/security.xml
	@@ -13,7 +13,8 @@
	<intercept-url pattern="/app/users" access="ROLE_ADMIN" requires-channel="https"/>
	<intercept-url pattern="/app/**" access="ROLE_ADMIN,ROLE_USER" requires-channel="any"/>
	<form-login login-page="/login" authentication-failure-url="/login?error=true"
	- login-processing-url="/j_security_check"/>
	+ login-processing-url="/j_security_check"
	+ authentication-success-handler-ref="ajaxAuthenticationHandler"/>
	<logout logout-url="/logout"/>
	<session-management session-fixation-protection="newSession" >
	<concurrency-control max-sessions="1" error-if-maximum-exceeded="false"/>
	@@ -34,6 +35,13 @@
	<protect-pointcut expression="execution(* *..service.UserManager.removeUser(..))" access="ROLE_ADMIN"/>
	</global-method-security>

	+ <beans:bean id="ajaxAuthenticationHandler" class="org.appfuse.examples.web.AjaxAuthenticationSuccessHandler">
	+ <beans:constructor-arg ref="defaultSuccessHandler"/>
	+ </beans:bean>
	+
	+ <beans:bean id="defaultSuccessHandler"
	+ class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"/>
	+
	<!-- Override userSecurityAdvice bean in appfuse-service to allow any role to update a user. -->
	<beans:bean id="userSecurityAdvice" class="org.appfuse.examples.web.UserSecurityAdvice"/>
	</beans:beans>
	\ No newline at end of file
	diff --git a/src/main/webapp/WEB-INF/web.xml b/src/main/webapp/WEB-INF/web.xml
	index 1eeacf5..b8fed84 100644
	--- a/src/main/webapp/WEB-INF/web.xml
	+++ b/src/main/webapp/WEB-INF/web.xml
	@@ -102,10 +102,6 @@
	<url-pattern>/*</url-pattern>
	</filter-mapping>-->
	<filter-mapping>
	- <filter-name>optionsHeaders</filter-name>
	- <url-pattern>/*</url-pattern>
	- </filter-mapping>
	- <filter-mapping>
	<filter-name>messageFilter</filter-name>
	<url-pattern>/*</url-pattern>
	<dispatcher>REQUEST</dispatcher>
	@@ -120,6 +116,12 @@
	<url-pattern>/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
	+ <filter-name>optionsHeaders</filter-name>
	+ <url-pattern>/j_security_check</url-pattern>
	+ <dispatcher>REQUEST</dispatcher>
	+ <dispatcher>FORWARD</dispatcher>
	+ </filter-mapping>
	+ <filter-mapping>
	<filter-name>securityFilter</filter-name>
	<url-pattern>/*</url-pattern>
	<dispatcher>REQUEST</dispatcher>
	diff --git a/src/main/webapp/login.jsp b/src/main/webapp/login.jsp
	index a7d106e..416426b 100644
	--- a/src/main/webapp/login.jsp
	+++ b/src/main/webapp/login.jsp
	@@ -43,10 +43,14 @@

	$("#login").live('click', function(e) {
	e.preventDefault();
	- $.ajax({url: getHost() + "${ctx}/api/login.json",
	+ $.ajax({url: getHost() + "${ctx}/j_security_check",
	type: "POST",
	data: $("#loginForm").serialize(),
	- success: function(data, status) {
	+ beforeSend: function (xhr) {
	+ xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");
	+ },
	+ success: function(data, status, xhr) {
	+ //console.log(xhr.getResponseHeader("Set-Cookie"));
	if (data.loggedIn) {
	// success
	dialog.dialog('close');