Everything,
I am trying to implement the Remember Me function
I have two secure URLs.
/operation/fully (the user must be fully authenticated, I donβt remember what I allowed)
and
/operation/authenticated (remember me normally)
If I donβt remember the cookie and I visit any URL, they will be prompted for my credentials and redirected to the original URL, thatβs good.
If I am in memory mode, I can easily switch to / operation / authenticated. If I go to / operation / full, I am redirected to the login page. Then I authenticate and go back to "/". I want to return to the original goal / operation / completely.
<http auto-config="true" use-expressions="true" access-denied-page="/login"> <form-login login-page="/login" login-processing-url="/static/j_spring_security_check" authentication-failure-url="/login" /> <logout logout-url="/j_spring_security_logout" logout-success-url="/logout"/> <intercept-url pattern="/favicon.ico" access="permitAll" /> <intercept-url pattern="/operations/fully" access="hasRole('ROLE_USER') and isFullyAuthenticated()"/> <intercept-url pattern="/operations/authenticated" access="hasRole('ROLE_USER')"/> <intercept-url pattern="/login" /> <remember-me key="myKey" token-validity-seconds="2419200" /> </http>
Somehow I need to return the user to the original address if he is not fully authenticated. Any ideas on the best approach to this?
I came up with one solution, however it makes me cringe, as it seems that this is more work than necessary.
In my script, the ExceptionTranslationFilter does not invoke the login process and therefore does not save the original URL.
The next line is not called
requestCache.saveRequest(request, response);
instead, 403 is created, which I caught by configuration and sent the user to the login page. In my case, the user should be processed as if it were anonymous, and 403 had not been created and the registration process should begin.
The easiest way to change this behavior is to change AuthenticationTrustResolverImpl
public boolean isAnonymous(Authentication authentication) { if ((anonymousClass == null) || (authentication == null)) { return false; } //if this is a RememberMe me situation, the user should be treated as //if they were anonymous if (this.isRememberMe(authentication)){ return true; } return anonymousClass.isAssignableFrom(authentication.getClass()); }
This is similar to what I want, however, since you cannot access the ExceptionTranslationFilter when using the http namespace, I had to do a lot of dirty manual configuration.
Is there a more elegant way to do this?