Announcement Announcement Module
Collapse
No announcement yet.
Previous page not remembered Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Previous page not remembered

    I am using spring security for a project (spring+hibernate) with database authentication.

    If the user attempts to go to a secured page, he is redirected to the login form but he does not go to the earlier requested page even though this is the documented default behavior.

    I have provided relevant sections of web.xml, root-context.xml and spring-security.xml

    I am using spring 3.0.5.RELEASE

    web.xml
    Code:
     ....
    	<context-param>
    		<param-name>contextConfigLocation</param-name>
    		<param-value>
    			/WEB-INF/spring/root-context.xml
    			/WEB-INF/spring/security/spring-security.xml
    		</param-value>
    	</context-param>
    
    	<!-- Create the Spring security filter -->
    	<filter>
    		<filter-name>springSecurityFilterChain</filter-name>
    		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    	</filter>
    
    	<filter-mapping>
    		<filter-name>springSecurityFilterChain</filter-name>
    		<url-pattern>/*</url-pattern>
    	</filter-mapping>
    ...

    root-context.xml
    Code:
    	<security:global-method-security secured-annotations="enabled"></security:global-method-security>

    spring-security.xml
    Code:
    	<security:http auto-config="true" use-expressions="true" access-denied-page="/auth/denied" >
    	
    	
    		<security:form-login
    				login-page="/auth/login" 
    				authentication-failure-url="/auth/login" 
    				default-target-url="/mydefaultpage"
    				always-use-default-target="false"/>
    			
    		<security:logout 
    				invalidate-session="true" 
    				logout-success-url="/auth/login" 
    				logout-url="/auth/logout"/>
    		<security:session-management invalid-session-url="/auth/login"/>
    	</security:http>
    I have tried with and without the always-use-default-target. I can only guess that I am overriding something so this property is not taking effect.

    Thanks in advance.

  • #2
    Anyone?

    Is this a known issue? It should work according to the documentation.

    A little more information. We have class that performs the db authentication .. perhaps we are missing something here.

    Code:
    public class LoginServiceProvider extends DaoAuthenticationProvider {
    
        ....
    
    	@Override
    	protected void additionalAuthenticationChecks(UserDetails userDetails,
    			UsernamePasswordAuthenticationToken authentication)
    			throws AuthenticationException {
    		super.additionalAuthenticationChecks(userDetails, authentication);
    
    		if (userDetails instanceof UserAuthorization) {
                                          //perform db authentication
    
    		}
    	}
    
    }

    Comment


    • #3
      Is it safe to assume that the login form is submitting to /j_spring_security_check? Can you capture your http request/responses from the browser using something like Firebug?

      Comment


      • #4
        Here are the req/res from firebug

        Thanks for the reply..

        When I login after attempting to go to a url. The attempted url is passed in the referer but is not returned in the response. Would it normally use the Location to redirect to the previous page?


        Request Headers
        -----------------------
        Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
        Accept-Encoding gzip, deflate
        Accept-Language en-gb,en;q=0.5
        Connection keep-alive
        Cookie JSESSIONID=12B55779DD5540DF5B44A28D2B6BD7E7
        Host localhost:8080
        Referer http://localhost:8080/attemptedURL
        User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1



        Response Headers
        -----------------------
        Content-Length 0
        Date Fri, 13 Jan 2012 00:50:17 GMT
        Location http://localhost:8080/defaultPage
        Server Apache-Coyote/1.1
        Set-Cookie JSESSIONID=6AB83648EDA82A8340E2B21C838E0A55; Path=/bailment/; HttpOnly

        Comment


        • #5
          and it is submitting to /j_spring_security_check

          Any ideas?

          Comment


          • #6
            Can you include the request to the secured page, the response of the request to the secured page, the submission of the login page, and the response?

            You might also enable the debug logs from Spring Security. If that doesn't help you please post them using the code tags.

            Also please ensure your configuration matches the request response. For example, the configuration posted states that /mydefaultpage is the default-target-url, but this seems to imply that defaultPage is configured. These inconsistencies make it difficult to troubleshoot.

            Cheers,

            Comment

            Working...
            X