All geek questions in one place

Define id-fail-url as `{currentpage}? login_error = 1`?

I use Spring MVC, Spring Security and Apache Tiles.
I have a login div that appears on every page (if the user is not authenticated yet).
This is the configuration:

<http use-expressions="true"> <intercept-url pattern="/index.jsp" access="permitAll" /> <intercept-url pattern="/registration.html" access="permitAll" /> <intercept-url pattern="/about.html" access="permitAll" /> <intercept-url pattern="/search.html" access="permitAll" /> <intercept-url pattern="/login.html" access="permitAll" /> <intercept-url pattern="/logout.html" access="permitAll" /> <intercept-url pattern="/post.html" access="hasAnyRole('USER')" /> <intercept-url pattern="/**" access="denyAll" /> <form-login default-target-url='/search.html' authentication-failure-url="/login.html?login_error=1" /> <logout logout-success-url="/logout.html" /> </http>

The problem is this: Suppose the user logs into search.html and enters incorrect login information. But then the user is redirected to /login.html?login_error=1 instead of redirecting to search.html?login_error=1 . How to define id-fail-url as {currentpage}?login_error=1 ?

+4
source share
1 answer

You need to configure SimpleUrlAuthenticationFailureHandler , for example with the new RedirectStrategy .

Before you start: you should take a look at the source of these classes to understand what they do:

  • UsernamePasswordAuthenticationFilter and its superclass AbstractAuthenticationProcessingFilter is a filter that triggers authentication
  • SimpleUrlAuthenticationFailureHandler - this is responsible for doing something if authentication is required (it is called `SimpleUrlAuthenticationFailureHandler).
  • DefaultRedirectStrategy - Used by SimpleUrlAuthenticationFailureHandler to execute redirct.
  • FormLoginBeanDefinitionParser - FormLoginBeanDefinitionParser XML security:form-login element. You must read it to understand how beans are created and referenced.

You should write your own RedirectStrategy , name it MyAppendParameterRedirectStrategy (maybe look at DefaultRedirectStrategy first). It needs only one method: void sendRedirect(HttpServletRequest request, HttpServletResponse response, String url) . At least you should do the same as DefaultRedirectStrategy , but instead of returning the login URL to calculateRedirectUrl , you should calculate the url as stripParams(getRequestURL()) + "?login_error=1"

 import java.io.IOException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang.StringUtils; import org.springframework.security.web.RedirectStrategy; public class MyAppendParameterRedirectStrategy implements RedirectStrategy { @Override public void sendRedirect(final HttpServletRequest request, final HttpServletResponse response, final String url) throws IOException { String redirectUrl = calculateRedirectUrl(request.getRequestURL().toString()); redirectUrl = response.encodeRedirectURL(redirectUrl); response.sendRedirect(redirectUrl); } private String calculateRedirectUrl(final String requestUrl) { //Attention this parameter striping is only proof of concept! return StringUtils.substringBeforeLast(requestUrl, "?") + "?login_error=1"; } }

The second part is that you need to change the spring configuration (so you should read the classes I mentioned) I think the configuration should be like this (but I haven't tested it):

 <security:form-login login-processing-url="/login/j_spring_security_check" login-page="/login" authentication-failure-handler-ref="simpleUrlAuthenticationFailureHandler"/> <bean id="SimpleUrlAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"> <property="defaultFailureUrl" value="NotNullButWeDoNotUseIt" /> <property="redirectStrategy"> <bean class="MyAppendParameterRedirectStrategy"/> </property> </bean>
+9
source

Source: https://habr.com/ru/post/1393387/

More articles:


All Articles