Announcement Announcement Module
Collapse
No announcement yet.
always-use-default-target=false does not work Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • always-use-default-target=false does not work

    I'm writing a web app and want a login link on all pages in the application. if a user decides to login i want the user to be returned to the previous page they had visited upon a successful login attempt. i read in the docs that this was default behaviour of always-use-default-target (default is false). Yet omitting this value or explicitly setting it to false doesn't work. in both scenarios the user is redirected to default-target-url upon successful login. I've searched the forums and internet to no avail as to what the issue might be.

    Here is my web.xml
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
      <display-name>CLiPWeb</display-name>
    
    	<filter>
    		<filter-name>springSecurityFilterChain</filter-name>
    		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    	</filter>
    	<filter-mapping>
    		<filter-name>springSecurityFilterChain</filter-name>
    		<url-pattern>/*</url-pattern>
    	</filter-mapping>
    
    	<servlet>
    		<servlet-name>dispatcher</servlet-name>
    		<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    		<load-on-startup>1</load-on-startup>
    	</servlet>
    	<servlet-mapping>
    		<servlet-name>dispatcher</servlet-name>
    		<url-pattern>/</url-pattern>
    	</servlet-mapping>	
    	<context-param>
    		<param-name>contextConfigLocation</param-name>
    		<param-value>/WEB-INF/dispatcher-servlet.xml,/WEB-INF/spring-security.xml</param-value>
    	</context-param>
    	
    	<listener>
    		<listener-class>
            	org.springframework.web.context.ContextLoaderListener
            </listener-class>
    	</listener>
    	
    </web-app>
    Here is my dispatcher-servlet.xml
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xmlns:p="http://www.springframework.org/schema/p"
    	xmlns:context="http://www.springframework.org/schema/context"
    	xsi:schemaLocation="
    		http://www.springframework.org/schema/beans
    		http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    		http://www.springframework.org/schema/context
    		http://www.springframework.org/schema/context/spring-context-3.0.xsd">
    
    	<context:component-scan base-package="com.clip"/>
    	<context:annotation-config />
    
    	<bean class="org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor"/>
    
    	<bean id="registrationServiceDelegate" class="com.clip.user.service.RegistrationServiceDelegate">
    		<property name="userRegistrationDao" ref="userRegistrationDao"/>	
    	</bean>
    	<bean id="userRegistrationDao" class="com.clip.user.dao.JdbcUserRegistrationDao"/>
    	
    	<bean id="viewResolver" class="org.springframework.web.servlet.view.UrlBasedViewResolver">
    		<property name="viewClass" value="org.springframework.web.servlet.view.JstlView"/>
    		<property name="prefix" value="/WEB-INF/views/"/>
    		<property name="suffix" value=".jsp"/>
    	</bean>
    
    </beans>
    Here is my spring-security.xml
    Code:
    <beans:beans xmlns="http://www.springframework.org/schema/security"
    	xmlns:beans="http://www.springframework.org/schema/beans" 
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans
    	http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    	http://www.springframework.org/schema/security
    	http://www.springframework.org/schema/security/spring-security-3.1.xsd">
     
    	<http auto-config="true">
    		<form-login default-target-url="/home/0" />
    		<remember-me key="clipRememberMeKey"/>
    		<logout logout-success-url="/home/0" />
    	</http>
     
    	<authentication-manager>
    		<authentication-provider user-service-ref='userDetailsService'/>
    	</authentication-manager>
     
    	<beans:bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
    		<beans:property name="driverClassName" value="org.hsqldb.jdbcDriver"/>
    		<beans:property name="url" value="jdbc:hsqldb:hsql://localhost/clipdb225;default_schema=true"/>
    		<beans:property name="username" value="sa"/>
    		<beans:property name="password" value=""/>
    	</beans:bean>
    	<beans:bean id="userDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
    		<beans:property name="dataSource" ref="dataSource"/>
    	</beans:bean>
    </beans:beans>
    TIA.
    Last edited by g30rd13-b3rk5; Mar 1st, 2012, 04:42 PM.

  • #2
    By default Spring Security will only remember secured pages (your configuration does not have any secured pages mentioned) that are accessed when no user is logged in. So to see this behavior:
    • Request a protected page (non-public) - this will send you to the login page
    • Login - by default this will send you to the protected page


    Options include you working with RequestCache directly. Using the targetUrlParameter on AbstractAuthenticationTargetUrlRequestHandler (be careful as this can be used to exploit your site as a way of redirecting users to malicious sites if you are not careful).
    Last edited by Rob Winch; Mar 3rd, 2012, 12:52 PM. Reason: removed bad suggestion

    Comment


    • #3
      Thanks for the post. I can't get this working though.

      i do see this in the logs on server start up...

      INFO: Creating access control expression attribute 'isAuthenticated()' for request.parameterMap['login'] == 'true'

      implying the configuration was picked up.

      is there any logging i can turn on which might help assist with debugging?
      Last edited by g30rd13-b3rk5; Mar 3rd, 2012, 10:24 AM.

      Comment


      • #4
        I've enabled some logging, here's the trace output

        2012-03-03 16:00:10,757 DEBUG [org.springframework.security.web.FilterChainProxy] - </home/0?login=true at position 1 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'>
        2012-03-03 16:00:10,772 DEBUG [org.springframework.security.web.context.HttpSessi onSecurityContextRepository] - <No HttpSession currently exists>
        2012-03-03 16:00:10,772 DEBUG [org.springframework.security.web.context.HttpSessi onSecurityContextRepository] - <No SecurityContext was available from the HttpSession: null. A new one will be created.>
        2012-03-03 16:00:10,772 DEBUG [org.springframework.security.web.FilterChainProxy] - </home/0?login=true at position 2 of 12 in additional filter chain; firing Filter: 'LogoutFilter'>
        2012-03-03 16:00:10,772 DEBUG [org.springframework.security.web.FilterChainProxy] - </home/0?login=true at position 3 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'>
        2012-03-03 16:00:10,772 DEBUG [org.springframework.security.web.FilterChainProxy] - </home/0?login=true at position 4 of 12 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter'>
        2012-03-03 16:00:10,772 DEBUG [org.springframework.security.web.FilterChainProxy] - </home/0?login=true at position 5 of 12 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'>
        2012-03-03 16:00:10,772 DEBUG [org.springframework.security.web.FilterChainProxy] - </home/0?login=true at position 6 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'>
        2012-03-03 16:00:10,772 DEBUG [org.springframework.security.web.FilterChainProxy] - </home/0?login=true at position 7 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'>
        2012-03-03 16:00:10,772 DEBUG [org.springframework.security.web.FilterChainProxy] - </home/0?login=true at position 8 of 12 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'>
        2012-03-03 16:00:10,772 DEBUG [org.springframework.security.web.FilterChainProxy] - </home/0?login=true at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'>
        2012-03-03 16:00:10,772 DEBUG [org.springframework.security.web.authentication.An onymousAuthenticationFilter] - <Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.Anony mousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We bAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'>
        2012-03-03 16:00:10,772 DEBUG [org.springframework.security.web.FilterChainProxy] - </home/0?login=true at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'>
        2012-03-03 16:00:10,772 DEBUG [org.springframework.security.web.FilterChainProxy] - </home/0?login=true at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'>
        2012-03-03 16:00:10,772 DEBUG [org.springframework.security.web.FilterChainProxy] - </home/0?login=true at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'>
        2012-03-03 16:00:10,772 DEBUG [org.springframework.security.web.util.AntPathReque stMatcher] - <Checking match of request : '/home/0'; against 'request.parametermap['login'] == 'true''>
        2012-03-03 16:00:10,772 DEBUG [org.springframework.security.web.access.intercept. FilterSecurityInterceptor] - <Public object - authentication not attempted>
        2012-03-03 16:00:10,772 DEBUG [org.springframework.security.web.FilterChainProxy] - </home/0?login=true reached end of additional filter chain; proceeding with original chain>
        2012-03-03 16:00:13,241 DEBUG [org.springframework.security.web.access.ExceptionT ranslationFilter] - <Chain processed normally>
        2012-03-03 16:00:13,241 DEBUG [org.springframework.security.web.context.HttpSessi onSecurityContextRepository] - <SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.>
        2012-03-03 16:00:13,241 DEBUG [org.springframework.security.web.context.SecurityC ontextPersistenceFilter] - <SecurityContextHolder now cleared, as request processing completed>

        Comment


        • #5
          Sorry I advised incorrectly. Come to think of it there are some other problems with this approach to. For example, if you had multiple roles then someone could use this to bypass role based authorization. You could probably use a custom RequestMatcher to get around these problems, but I think I would probably stick with one of the other methods.

          Comment

          Working...
          X