All geek questions in one place

Spring jsf security not redirected after successful login

I saw such questions, but I did not see the answer to my specific question.

I am using spring security 2.1 and jsf 2.1. I have a custom jsf login that I am developing to handle input from an xhtml file.

Here is the login method:

public String login() throws ServletException, IOException { ExternalContext context = FacesContext.getCurrentInstance() .getExternalContext(); RequestDispatcher dispatcher = ((ServletRequest) context.getRequest()) .getRequestDispatcher("/j_spring_security_check"); dispatcher.forward((ServletRequest) context.getRequest(), (ServletResponse) context.getResponse()); FacesContext.getCurrentInstance().responseComplete(); Exception e = (Exception) FacesContext.getCurrentInstance(). getExternalContext().getSessionMap().get(WebAttributes.AUTHENTICATION_EXCEPTION); // It OK to return null here because Faces is just going to exit. return null; }

I pulled a sample code from another post.

Here is my spring configuration:

  <http use-expressions="true" auto-config="true"> <!-- <intercept-url pattern="/signin.xhtml" access="permitAll" /> --> <intercept-url pattern="/internal/private/**" access="hasRole('USER')" /> <!-- <intercept-url pattern="/scheduling/internal/private/**" access="hasAnyRole('ADMIN','USER')" /> --> <!--<intercept-url pattern="/javax.faces.resource/**" access="permitAll"/> <intercept-url pattern="/**" access="permitAll" /> --> <form-login default-target-url="/internal/private/landing.xhtml" login-page="/signin.xhtml" /> </http>

As you can see, my default destination URL is "/internal/private/landing.xhtml". I turned on debug and I see that authentication has passed, but it is never redirected to the default page.

Here is a cut off log that shows call redirection from Spring:

  08:58:03,701 DEBUG [org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy] (http-localhost-127.0.0.1-8080-2) Invalidating session with Id 'qPg2MdmRgSpTcV6CVT7cb-9M.undefined' and migrating attributes. 08:58:03,703 DEBUG [org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy] (http-localhost-127.0.0.1-8080-2) Started new session: GFoQyvUtbd+lmZiNw0QKRrI-.undefined 08:58:03,705 DEBUG [org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter] (http-localhost-127.0.0.1-8080-2) Authentication success. Updating SecurityContextHolder to contain: org.springframew ork.security.authentication.UsernamePasswordAuthenticationToken@ d9fa0ad7: Principal: org.springframework.security.core.userdetails.User@da682271 : Username: roland.jones; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMIN,USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin gframework.security.web.authentication.WebAuthenticationDetails@ fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: qPg2MdmRgSpTcV6CVT7cb-9M.undefined; Granted Authorities: ADMIN, USER 08:58:03,714 DEBUG [org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler] (http-localhost-127.0.0.1-8080-2) Using default Url: /internal/private/landing.html 08:58:03,716 DEBUG [org.springframework.security.web.DefaultRedirectStrategy] (http-localhost-127.0.0.1-8080-2) Redirecting to '/scheduling/internal/private/landing.html' 08:58:03,718 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] (http-localhost-127.0.0.1-8080-2) SecurityContext stored to HttpSession: ' org.springframework.security.core.context.SecurityContextImpl@d9 fa0ad7: Authentication: org.springframew ork.security.authentication.UsernamePasswordAuthenticationToken@ d9fa0ad7: Principal: org.springframework.security.core.userdetails.User@da682271 : Username: roland.jones; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMIN,USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin gframework.security.web.authentication.WebAuthenticationDetails@ fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: qPg2MdmRgSpTcV6CVT7cb-9M.undefined; Granted Authorities: ADMIN, USER' 08:58:03,727 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] (http-localhost-127.0.0.1-8080-2) SecurityContext stored to HttpSession: ' org.springframework.security.core.context.SecurityContextImpl@d9 fa0ad7: Authentication: org.springframew ork.security.authentication.UsernamePasswordAuthenticationToken@ d9fa0ad7: Principal: org.springframework.security.core.userdetails.User@da682271 : Username: roland.jones; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMIN,USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin gframework.security.web.authentication.WebAuthenticationDetails@ fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: qPg2MdmRgSpTcV6CVT7cb-9M.undefined; Granted Authorities: ADMIN, USER' 08:58:05,156 DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter] (http-localhost-127.0.0.1-8080-2) Chain processed normally

After I try to log in, if I find the default URL in the address, there is no problem, so I know that authentication has passed.

Please, help. Thanks!

0
source share
2 answers

In Spring Security 3.x, you can achieve this using an authentication handler that allows you to write your own servlet code to control successful authentication. I know that you are using Spring Security 2, but if updating is an option, you can consider it.

First, I declare a login form for access and make it accessible to each user. From this, I leave the rest of the URLs limited:

 <http use-expressions="true"> <intercept-url pattern="/login**" access="permitAll()" /> <intercept-url pattern="/**" access="isAuthenticated()" /> <form-login login-page="/login" default-target-url="/home" always-use-default-target="false" authentication-success-handler-ref="authenticationSuccessHandler" authentication-failure-handler-ref="authenticationFailureHandler" /> <logout logout-success-url="/login" invalidate-session="true" /> </http>

Please note: I declare two authentication handlers, success and . After that, I have my own SystemAuthenticationSuccessHandler , which gives me the ability to execute servlet code after successful authentication:

 <beans:bean id="authenticationSuccessHandler" class="com.mycompany.security.SystemAuthenticationSuccessHandler" />

With this, I can redirect if authentication is successfully supported:

 import org.springframework.security.web.authentication.AuthenticationSuccessHandler; public class SystemAuthenticationSuccessHandler implements AuthenticationSuccessHandler { @Override public void onAuthenticationSuccess(HttpServletRequest req, HttpServletResponse res, Authentication auth) throws IOException, ServletException { res.sendRedirect(req.getContextPath() + "/home"); } }
+1
source

@ braveheart1996 You need to set the attribute "ajax = false".

 <p:commandButton action="#{controller.login()}" value="Login" icon="fa fa-sign-in" process="@this formLogin" update="formLogin" ajax="false"/>
0
source

Source: https://habr.com/ru/post/1499021/

More articles:


All Articles