Managing Web App's URLs in Heroku

On my previous post there is a step by step explanation on how to create your own Web App in Heroku.

After I finished the whole process and I had my Web App up and running on Heroku, I thought I had reached the end and it would all be working smoothly. My surprise came when some pictures on my site and some pages redirections were not working properly.

The key is in the way that you specify your URLs; you cannot use the forward slash ('/') to prefix your URLs, because Heroku will understand them as absolute paths, and it will look for the page in the wrong place.

That was the case of my web app, the login page had a reference to a warning image, but this image was not being loaded when the error message appeared.

The next snippet shows the original source code for that image import.

	<c:if test="${param.error != null}">
	<div>
	<img src="/images/iconWarning.gif" alt="<fmt:message key='icon.warning'/>"/>
	<label><fmt:message key="errors.password.mismatch"/></label>
	</div>
	</c:if>

view raw login.jsp hosted with ❤ by GitHub

The problem was that I was using the forward slash ('/') as a prefix for the image's URL, so the change required to get this working is to just remove this prefix, so that Heroku understands it as a relative path, as shown in the following snippet.

	<c:if test="${param.error != null}">
	<div>
	<img src="images/iconWarning.gif" alt="<fmt:message key='icon.warning'/>"/>
	<label><fmt:message key="errors.password.mismatch"/></label>
	</div>
	</c:if>

view raw login.jsp hosted with ❤ by GitHub

The same thing happened with some script imports I was doing to be used with my pages, and it was solved in the same way, just by removing the preceding forward slash ('/') from the URLs.

However, another problem arose when redirecting to the login failure URL (that was being handled by Spring Security), whose solution is similar to the one stated above, but requires more customisation.

Spring Security URL Authentication Failure Handling

The default URL authentication failure handler used within Spring Security is the SimpleUrlAuthenticationFailureHandler; the next snippet shows the typical definition of the security beans to use the default handler:

	<http auto-config="true" lowercase-comparisons="false">
	<intercept-url pattern="/images/**" filters="none"/>
	<intercept-url pattern="/styles/**" filters="none"/>
	<intercept-url pattern="/scripts/**" filters="none"/>
	<intercept-url pattern="/app/**" access="ROLE_ADMIN,ROLE_USER"/>
	<form-login login-page="/login"
	authentication-failure-url="/login?error=true"
	login-processing-url="/j_security_check"/>
	</http>

view raw security.xml hosted with ❤ by GitHub

The default class does not accept a URL without a forward slash ('/') prefix, so that makes it impossible to specify the redirection as stated above in this post.
Apart from that, the redirection uses a RedirectStrategy object, which modifies the URL string specified in the bean.

The solution I propose to solve this issue is to create a custom class to handle the authentication failure, and then use that class as a reference for the form-login bean.

The new definition of the security bean is as follows:

	<http auto-config="true" lowercase-comparisons="false">
	<intercept-url pattern="/images/**" filters="none"/>
	<intercept-url pattern="/styles/**" filters="none"/>
	<intercept-url pattern="/scripts/**" filters="none"/>
	<intercept-url pattern="/app/**" access="ROLE_ADMIN,ROLE_USER"/>
	<form-login login-page="/login"
	authentication-failure-handler-ref="noSlashUrlHandler"
	login-processing-url="/j_security_check"/>
	</http>
	<!-- redirect url for failure of authentication -->
	<beans:bean id="noSlashUrlHandler"
	class="com.herokuapp.authentication.NoSlashAuthenticationFailureHandler">
	<beans:constructor-arg value="login?error=true"></beans:constructor-arg>
	</beans:bean>

view raw security.xml hosted with ❤ by GitHub

And the code for the new class NoSlashAuthenticationFailureHandler is shown in the next snippet; as you can see, the redirection is not using any RedirectStrategy object, so it will not modify the value of the URL that you specify in the constructor bean.

	public class NoSlashAuthenticationFailureHandler implements AuthenticationFailureHandler {
	protected final Log logger = LogFactory.getLog(getClass());
	private String defaultFailureUrl;
	public NoSlashAuthenticationFailureHandler() {
	}
	public NoSlashAuthenticationFailureHandler(String defaultFailureUrl) {
	setDefaultFailureUrl(defaultFailureUrl);
	}
	public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
	AuthenticationException exception) throws IOException, ServletException {
	if (defaultFailureUrl == null) {
	logger.debug("No failure URL set, sending 401 Unauthorized error");
	response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authentication Failed: " + exception.getMessage());
	} else {
	logger.debug("Redirecting to " + defaultFailureUrl);
	response.sendRedirect(defaultFailureUrl);
	}
	}
	/**
	* The URL which will be used as the failure destination.
	* @param defaultFailureUrl the failure URL, for example "loginFailed.jsp".
	*/
	public void setDefaultFailureUrl(String defaultFailureUrl) {
	this.defaultFailureUrl = defaultFailureUrl;
	}
	}

view raw NoSlashAuthenticationFailureHandler.java hosted with ❤ by GitHub

So there you are the way to keep using Spring Security to handle the authentication failure. Try it on your Web App and let me know any feedback in the comments section.