Pass parameters to my login.jsp

Question

I have a secure portion of my simple Servlet app, and I need to pass parameters to the secure part of my app.

Flow:

1. 3rd party needs to use my login mechanism (simple secure servlet)
2. user attempts to go to: mycompany.com/loginApp/login?pref=1
3. the "/login" url is secure, so the app server tells the browser to redirect to my login.jsp, but at this point the URL is updated to: mycompany.com/loginApp/login/login.jsp (notice that "?pref=1" is gone)

My web.xml's security looks like:

    <security-constraint>
    <web-resource-collection>
        <web-resource-name>Secured</web-resource-name>
        <description></description>
        <url-pattern>/home</url-pattern>
        <url-pattern>/login</url-pattern>
        <url-pattern>/jsp/apps/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>

    <auth-constraint>
        <description>protectedlinks</description>
        <role-name>protected</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>mycompany.com</realm-name>
    <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/error.jsp</form-error-page>
    </form-login-config>
</login-config>

<security-role>
    <description>
    Protected portion of site</description>
    <role-name>protected</role-name>
</security-role>

Looking through the net, it appears that the AppServer does indeed do a redirect to the login.jsp when trying to access secure content: http://docs.oracle.com/javaee/5/tutorial/doc/bncbe.html#bncbq

What I would like to happen is that the "pref=1" somehow is persisted to the login.jsp and then submitted to the authentication servlet (verifies users in a DB).

Any advice on how to do this?

UPDATE A hidden parameter will not work. The browser has done a complete redirect, which has wiped away all of the request (including the "pref=1" param in the URL). Therefore, I can not include it as a hidden param on the form of my login.jsp.

UPDATE 2 The "pref" variable is dynamic, so it will not always be 1.

Thanks, Sean

Answer 1

Add <input type="hidden" name="pref" value="1"/> inside the <form/> tag in your login.jsp

It will become a POST parameter though, so not exactly available on the query string, but it will be there in the request.

The above covers a static parameter. To pass a variable through login.jsp on the automatic redirect you will need to employ a filter. This has been covered on SO here: How to pass an additional parameter with spring security login page