All geek questions in one place

Spring Security targetUrlParameter does not redirect

I am trying to redirect the user back to the page where they clicked the login link. (The pages are read-only for non-authenticated users, but writable for registered users.) How do I redirect the user back to where they came from after logging in?

I send the user a login page with this link: /spring_security_login?redirect=/item5 . After logging in, I expect the user to be redirected to the /item5 . However, they are always redirected to the / page.

Here is the configuration I'm using:

 <http use-expressions="true"> <intercept-url pattern="/**" access="permitAll" /> <form-login authentication-success-handler-ref="simpleUrlAuthenticationSuccessHandler"/> </http> <beans:bean id="simpleUrlAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"> <beans:property name="defaultTargetUrl" value="/"/> <beans:property name="targetUrlParameter" value="redirect"/> </beans:bean>

It seems that targetUrlParameter not targetUrlParameter as expected. I am using Spring Security 3.1.4

+4
source share
6 answers

When using SimpleUrlAuthenticationSuccessHandler following rules apply:

  • If the alwaysUseDefaultTargetUrl property is set to true, the defaultTargetUrl property will be used for the assignment.
  • If a request is specified in the request that matches the value of the targetUrlParameter parameter, this value will be used as the destination. By default, this value is "spring-security-redirect".
  • If the useReferer property is set, the value of the "Referer" HTTP header, if present, will be used.
  • The default value TargetUrl will be used as a fallback option.

According to your configuration, this should work. I assume that you did not distribute the referer when submitting a POST request in the login form. Typically, you should write the value of referer in a hidden field on the login page so that the referer parameter is passed to spring_security_login .

+7
source

Change SimpleUrlAuthenticationSuccessHandler to SavedRequestAwareAuthenticationSuccessHandler and be happy.

+1
source

Use SavedRequestAwareAuthenticationSuccessHandler instead of SimpleUrlAuthenticationSuccessHandler .

Even if the page URL is printed in a browser, in which case the referer will not be captured, SavedRequestAwareAuthenticationSuccessHandler uses the previous URL captured by the ExceptionTraslationFilter .

Read http://docs.spring.io/spring-security/site/docs/3.0.x/reference/core-web-filters.html#form-login-flow-handling and http://docs.spring.io /autorepo/docs/spring-security/3.2.4.RELEASE/apidocs/org/springframework/security/web/authentication/SavedRequestAwareAuthenticationSuccessHandler.html

+1
source

because of this line:

 <beans:property name="defaultTargetUrl" value="/"/>

delete this line and try again.

0
source

The following general solution can be used with a regular login, Spring social login, or most other Spring security filters.

In your Spring MVC controller, when loading a read-only page, save the path to the page in the session if the user is not logged in. In the XML configuration, set the default destination URL. For instance:

In your MVC Spring controller, the redirect method should read the path from the session and return redirect:<my_saved_page_path> .

So, after the user logs in, they will be sent to the /redirect page, which will quickly redirect them to the page that they visited the last time.

0
source

LaurentG has already explained this. You can pass the useReferer parameter to spring. Works well for both SavedRequestAwareAuthenticationSuccessHandler and SimpleUrlAuthenticationSuccessHandler.

Here is your modified spring logic:

 <http use-expressions="true"> <intercept-url pattern="/**" access="permitAll" /> <form-login authentication-success-handler-ref="simpleUrlAuthenticationSuccessHandler"/> </http> <beans:bean id="simpleUrlAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticaionSuccessHandler"> <beans:property name="defaultTargetUrl" value="/"/> <beans:property name="targetUrlParameter" value="redirect"/> <beans:property name="useReferer" value="true"/> </beans:bean>
0
source

Source: https://habr.com/ru/post/1492628/

More articles:


All Articles