Announcement Announcement Module
Collapse
No announcement yet.
Manually Create SavedRequest Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Manually Create SavedRequest

    I have a unsecured page that has a login link on it. If the user clicks login from this page, I want them to be redirected back to this page after a successful login. I've been looking for ways to create a SavedRequest (DefaultSavedRequest) to store in the session but all the methods are protected.

    Basically, how can I manually tell Spring Security which URL to redirect to after a successful login?

    If it matters, I'm actually using the Spring-Security-Core plugin with Grails 1.3.7.

  • #2
    I'm not all that familiar with the Spring Security Grails plugin, but I have outlined a few options available in Spring Security:

    1) Use the targetUrlParameter defined on SavedRequestAwareAuthenticationSuccessHandler. You should be careful with this approach since it can lead to redirecting to other websites. See the OWASP Open redirect page for details on this.

    2) Save the request using the RequestCache interface (HttpSessionRequestCache is the default implementation).

    3) This option is only available in Spring Security 3.1. Create a custom RequestMatcher and a separate http block that matches if the user is not authenticated and a specific http parameter is present. The configuration in standard Spring would look something like:

    Code:
    <http request-matcher-ref="customMatcher"
        use-expressions="true">
      <intercept-url pattern="/**"
        access="authenticated"/>
       .. use same form-login configuration in here ..
    </http>       
    <http auto-config="true"
      use-expressions="true">
      .. standard configuration ...
    </http>
    
    <b:bean id="customMatcher" class="UnauthenticatedAndForceLoginParamRequestMatcher"/>
    UnauthenticatedAndForceLoginParamRequestMatcher would look something like:

    Code:
    public class UnauthenticatedAndForceLoginParamRequestMatcher implements RequestMatcher {
        private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
        
        @Override
        public boolean matches(HttpServletRequest request) {
            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
            return trustResolver.isAnonymous(authentication) && request.getParameter("forceLogin") != null;
        }
    }
    Then the login link could just be a link to the current page and contain the query param named forceLogin (or whatever your RequestMatcher is matching on). This would allow Spring Security to handle all the saved request for you and avoid open redirect problems.

    HTH,

    Comment

    Working...
    X