Use Javascript Redirection

Owned by Dale Ogilvie
Last updated: Apr 30, 2008Version comment
2 min read

When redirecting from the https CAS application back to an http service after authenticating successfully, IE6 presents the user with a security dialog saying "you are about to be redirected to a connection that is not secure, do you really want to do this?". We can avoid this by using javascript to perform the redirection in the client browser, instead of a server side redirect. This approach works fine for web pages, but does not work for protected image content, which will not execute the returned javascript, so we revert to a serverside redirect for this type of content.

1. Create WEB-INF/view/jsp/default/ui/redirect.jsp to perform the redirection using javascript

<%@page import="org.jasig.cas.authentication.principal.WebApplicationService" %>
<%@page import="org.jasig.cas.web.support.WebUtils" %>
<%@page import="java.net.URL" %>
<%
WebApplicationService service = (WebApplicationService) request.getAttribute("service");
String ticket  = (String) request.getAttribute("serviceTicketId");
String redirectURL = service.getResponse(ticket).getUrl();
boolean serverSideRedirect = false;
// if redirect is for an image, js or css file
URL url = new URL(redirectURL);
String path = url.getPath();
int dotPos = path.lastIndexOf("."); // returns -1 if not found
if( dotPos != -1 )
{
    String ext = path.substring(dotPos).toLowerCase();
    serverSideRedirect = ".gif".equals(ext) || ".jpg".equals(ext) || ".png".equals(ext) || ".js".equals(ext) || ".css".equals(ext);
}
if( serverSideRedirect )
{
    // Serverside redirect using HTTP 302
    response.sendRedirect(redirectURL);
}
else
{
    // Client side redirect using javascript
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
  <head>
    <script type="text/javascript" language="javascript">
      <!--
        window.location.replace ("<%=redirectURL%>");
      -->
    </script>
    <title>Redirect</title>
  </head>
  <body></body>
</html>
<%
}
%>

2. Make a redirect view available to CAS by adding it to WEB-INF/classes/default_view.properties

### Redirect view (logged in, javascript redirect to service)
redirectView.(class)=org.springframework.web.servlet.view.JstlView
redirectView.url=/WEB-INF/view/jsp/default/ui/redirect.jsp

 3. Modify WEB-INF/login-webflow.xml to make the redirect end state use the new view

<end-state id="redirect" view="redirectView" />