Announcement Announcement Module
No announcement yet.
Redirect to original url after "remember-me" login Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Redirect to original url after "remember-me" login

    Here's the scenario:
    1. user enters an url
    2. spring security checks the remember-me related cookies.
    3. when the user authentication information is valide. user gets directed to the home page( instead of

    I want the user to be redirected to the original url( after "remember-me" styled login. It seems there's no way to do it with spring security. I've been struggling with it for a couple of weeks now and couldn't find any solution. I've tried:
    1. customizing SessionManagementFilter
    2. customizing UsernamePasswordAuthenticationFilter
    3. customizing RememberMeAuthenticationFilter

    None of them worked. I've been doing lots of research and seeing lots of people having the same problem but no solution yet. Can someone from Spring team have a look at this case and try to find a solution?

  • #2
    I'm not sure I understand your item #3 above. If a valid remember-me token exists, there is no user authentication and the user "should" land on the requested url (ie. This is the behavior for my remember-me flow. The only way I can think that you are not ending up at the desired url is if there is other security configuration that is redirecting given some condition for the /abc URI or perhaps the way the default "/" authentication path is configured.



    • #3
      What does your configuration look like? If you did not specify an authentication-success-handler-ref, then RememberMeAuthenticationFilter does not do a redirect, it simply continues the filter chain. If you specified one, then you are in charge of ensuring that the application goes where you want it to.


      • #4
        Thanks Rob,

        Yes, just realized it is caused by "authentication-success-handler-ref". I debugged into code and realized if authentication-success-handler is set, the rest of filter chain stops. My handler extends SavedRequestAwareAuthenticationSuccessHandler. What I wanted is to populate some data into HttpSession after authentication is done. Now it seems I have 2 options:
        1. Do not use "authentication-success-handler-ref". If I simply want to populate data into HttpSession after authentication done, what would be the best approach?
        2. Stiil use "authentication-success-handler-ref" and try to redirect to the originally saved url in my handler. I've tried the following code but it returns null. Is there anyway to get the SavedRequest in my handler?
         DefaultSavedRequest defaultSavedRequest = (DefaultSavedRequest) request.getSession().getAttribute("SPRING_SECURITY_SAVED_REQUEST");


        • #5
          Why are you using the AuthenticationSuccessHandler? Another option would be to not set the AuthenticationSuccessHandler and then override the onSuccessfulAuthentication method which would also allow the FilterChain to continue.


          • #6
            Thanks Rob,

            Problem solved by extending UsernamePasswordAuthenticationFilter.successfulAut hentication() as you mentioned. Thanks a lot for your help!


            • #7
              Just realized my filter is not called from remember style login if I configure my filter this way:
              [CODE]<custom-filter before="FORM_LOGIN_FILTER" ref="myAuthenticationListener"/>[CODE]
              I then tried write another filter which extends RememberMeAuthenticationFilter and put
              [CODE]<custom-filter before="REMEMBER_ME_FILTER" ref="myAuthenticationListener2"/>[CODE]

              Now my filter is called but everything behaving weried now (e.g. cookies gets cleaned somewhere and no one can login now). I feel the filter is a way to "replace" things but not "inject" things. If I wanna use filter/handler in spring security, I then have to take care everything by myself, which requires me to understand how spring security from inside.

              What I need is to simply populate some data into session after authentication. Now I feel like having to chaning spring code in order to achive the goal. Can you give me some advice how I should handle this? maybe writting a HttpSession wrapper, or a HttpSessionListener would be easier?


              • #8
                I'm afraid your description of the problems you are encountering does not really describe what is happening, so it is quite difficult to assist. When do the cookies get cleared? What do the HTTP request/responses look like?