I have a grails(v1.2.1) app using the acegi plugin(v0.5.2) to authenticate users against an Active Directory domain.
Everything works perfectly as long as I run the app using "grails run-app"; The correct controller/actions are protected, users can successfully log in, they don't have to log in on each page request, etc.
When I run the app as a war inside of Weblogic 10.3, the whole thing breaks down. The correct controller/actions require authentication, but after a successful login, the user is ALWAYS sent to defaultTargetUrl instead of their originally requested URL. After a successful login, if I try to go back to the same protected page that just caused me to log in, it asks to log in again (which is unhelpful because successful login still sends me to defaultTargetUrl). If if I intentionally enter a bad user/pass on a login page, I'm sent back to the login page, as designed, but the validation messages don't appear.
I've added some logging/done some debugging and determined the following:
If you ever see behavior like this, check your cookies. My browser had several "JSESSIONID" cookies for localhost. The path for 2 of these JSESSIONIDs matched the path of my app (one for the path "/" and one for the path of my app.
The browser was sending both matching JSESSIONIDs in the HTTP headers. The first JSESSIONID in the header was not the one just set, so my app didn't think the request was part of the same session. Hence, the loss of all session attributes. Particularly the login-related ones.