Spring MVC: authentication redirects

I have been trying to do custom redirects in Spring MVC 3.0.6 based on URL parameters after logging in, login failures and logouts. Turns out two of three need special tweaking.

By default the redirect after the login and the logout are handled by SimpleUrlAuthenticationSuccessHandler and
SimpleUrlLogoutSuccessHandler respectively. Both subclass the AbstractAuthenticationTargetUrlRequestHandler. All three are part of the org.springframework.security.web.authentication package. They specify the property targetUrlParameter which is used to determine a URL parameter which contains the URL to redirect to. For the AbstractAuthenticationTargetUrlRequestHandler this is set to spring-security-redirect by default. But in contrast to SimpleUrlAuthenticationSuccessHandler,SimpleUrlLogoutSuccessHandler sets this property to null. The former leaves it at spring-security-redirect.

Login

Thus, the login redirect is the easiest. When calling the login URL (j_spring_security_check by default) all one has to do is to specify the URL parameter spring-security-redirect. This can happen either as a direct URL parameter or as an hidden input field of the login form.

Logout

Here we need to set the targetUrlParameter property for the SimpleUrlLogoutSuccessHandler by hand. This can be done by the following entries in the security specifications (e.g. security.xml):

<security:http>
 
	<!-- ... -->
 
	<security:logout 
		logout-url="/logout" 
		success-handler-ref="logoutSuccessHandler" />
 
	<!-- ... -->
 
</security:http>
 
<bean 
		id="logoutSuccessHandler"
		class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
	<property name="targetUrlParameter" value="spring-security-redirect" />
	<property name="defaultTargetUrl" value="/login" />
</bean>

Login Failure

Unfortunatelly the SimpleUrlAuthenticationFailureHandler does not support a nifty targetUrlParameter property. This is why we need to implement our own simple AuthenticationFailureHandler:

public class EventAuthenticationFailureHandler
		extends
			SimpleUrlAuthenticationFailureHandler {
 
	public static String DEFAULT_TARGET_PARAMETER =
			"spring-security-redirect-login-failure";
	private String targetUrlParameter = 
			DEFAULT_TARGET_PARAMETER;
 
	@Override
	public void onAuthenticationFailure(
			HttpServletRequest request,
			HttpServletResponse response,
			AuthenticationException exception)
			throws IOException, ServletException {
 
		String redirectUrl = request.getParameter(this.targetUrlParameter);
		if (redirectUrl != null) {
			super.logger.debug("Found redirect URL: " + redirectUrl);
			getRedirectStrategy().sendRedirect(
					request,
					response,
					redirectUrl);
		} else {
			super.onAuthenticationFailure(request, response, exception);
		}
	}
 
	public String getTargetUrlParameter() {
		return targetUrlParameter;
	}
 
	public void setTargetUrlParameter(String targetUrlParameter) {
		this.targetUrlParameter = targetUrlParameter;
	}
}

The security configuration file (e.g. security.xml) then contains this:

<security:http>
 
	<!-- ... -->
 
	<security:form-login 
		login-page="/login"
		always-use-default-target="false"
		authentication-failure-handler-ref="authenticationFailureHandler" />
 
	<!-- ... -->
 
	<bean 
			id="authenticationFailureHandler"
			class="package.of.EventAuthenticationFailureHandler">
		<property name="defaultFailureUrl" value="/login" />
	</bean>
 
</security:http>
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Leave a Reply