All geek questions in one place

Several different login forms for Spring Security

I am using spring-based web authentication with spring-mvc with user authentication and all is well:

My problem: /login loads the view with a fully functional page, but now I have to provide authentication for the iframe / popup format (for example, for an authenticated bookmarklet), so loading another view (or with different parameters).

I see two solutions that are not complicated:

  • In my /login action, I have a way (so far unknown to me) to get the original request and check it based on a set of URLs that use a simpler view, and then choose the appropriate view. => How to get this original request?

  • I do one more action / login form, say /login/minimal , which also sends a request to the spring security URL /j_spring_security_check , but I need to implement a request storage / retrieval mechanism so that the original request is executed after a successful login. => I see that this is related to SecurityContextPersistenceFilter , but I donโ€™t know how to implement or call it.

+4
source share
2 answers

If I understand your question correctly, you want to change the login page based on the original query string. Check this forum post to access the source URL of the request from the session. This is for an older version, but you can use it to get started.

Change I did not have the opportunity to verify this, but it looks like the key was changed between Acegi security and Spring Security 3. It looks like you can access it from the session using the constants in the WebAttributes class. Effectively

 //request is a HttpServletRequest object SavedRequest savedRequest = (SavedRequest)request.getSession().getAttribute(WebAttributes.SAVED_REQUEST); String url = savedRequest.getRequestURL();
+1
source

For your first question:

class org.springframework.security.web.authentication.WebAuthenticationDetails

It contains only the IP address of the client and its session, but

has a method

 protected void doPopulateAdditionalInformation(HttpServletRequest request) {}

I believe that you can improve this by subclassing and adding the request URL. - But first check if the request is a request from the login form or a โ€œblockedโ€ request.

Added

Chris Thompson sent another piece of the puzzle to answer your question: He mentioned that the saved request can be obtained from the session:

 //request is a HttpServletRequest object SavedRequest savedRequest = (SavedRequest)request.getSession().getAttribute(WebAttributes.SAVED_REQUEST); String url = savedRequest.getRequestURL();

So you can combine this, instead of extending WebAuthenticationDetails, you just need to read its already included session.

@see Chris Thompson Response

+1
source

Source: https://habr.com/ru/post/1335291/

More articles:


All Articles