Announcement Announcement Module
Collapse
No announcement yet.
Last visited URL on ROLE_ANONYMOUS pages Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Last visited URL on ROLE_ANONYMOUS pages

    Hello Guys,

    I've noticed something. (Or maybe I misconfigured Spring Security), but my Last Visited URL does not work. I have set always-use-default-target="false" but it seems it only works on pages that are filtered/intercepted. I mean when I go to to a page, say FAQ page (this does not need security), and from there I logged in (FAQ page has a small form at the side where you can login) and when I successfully login, I always get redirected to the default URL. Is this the default behaviour.. But when I visited a secured page, it is working.

    Please advise guys.

    Thanks,
    -marckun

  • #2
    Spring Security doesn't automatically send you to the last visited URL after a login.

    If you attempt to access a protected resource, and are required to login, then the default behaviour is to redirect to the originally requested URL which prompted the login. If you just happened to be on a particular page and login, then you will be redirected to the default target. There is no cached request which can be used in this case - Spring Security doesn't actually know which page you submitted the login request from.

    You can make use of the "Referer" header if it is set. There is alread support for this in the Spring Security 3 codebase:

    http://static.springsource.org/sprin...stHandler.html

    but you can easily customize the AuthenticationProcessingFilter in version 2.0 to read the header value.

    Comment


    • #3
      Originally posted by Luke Taylor View Post
      Spring Security doesn't automatically send you to the last visited URL after a login.

      If you attempt to access a protected resource, and are required to login, then the default behaviour is to redirect to the originally requested URL which prompted the login. If you just happened to be on a particular page and login, then you will be redirected to the default target. There is no cached request which can be used in this case - Spring Security doesn't actually know which page you submitted the login request from.

      You can make use of the "Referer" header if it is set. There is alread support for this in the Spring Security 3 codebase:

      http://static.springsource.org/sprin...stHandler.html

      but you can easily customize the AuthenticationProcessingFilter in version 2.0 to read the header value.
      Hello Sir Luke,

      I tried what you did in here, but it seems it does not work. Could you please tell me what I am doing wrong here? Heres what I did:

      I tried overriding AuthenticationProcessingFilter. In my config file here it is:

      PHP Code:
      .......
          <
      bean id="customerAuthenticationProcessingFilter" class="crown.security.CustomAuthenticationProcessingFilter">
              <
      property name="invalidateSessionOnSuccessfulAuthentication" value="true" />
              <
      property name="authenticationManager" ref="customerAuthenticationManager" />
              <
      property name="authenticationFailureUrl" value="/jsp/Guest.do?error=2" />
              <
      property name="defaultTargetUrl" value="/jsp/customer/Home.do" />
              <
      property name="filterProcessesUrl" value="/jsp/j_spring_security_check" />
          </
      bean>
      ....... 
      crown.security.CustomAuthenticationProcessingFilte r is my custom processing filter. And in there, I tried overriding determineTargetUrl

      PHP Code:
      ......
          @
      Override
          
      protected String determineTargetUrl(HttpServletRequest request) {
              
              
      logger.debug("Custom determine target url");
              
      String targetUrl targetUrlResolver.determineTargetUrl(getSavedRequest(request), requestSecurityContextHolder.getContext().getAuthentication());
              if(
      StringUtils.isBlank(targetUrl)) {
                  
      targetUrl request.getRequestURL().toString();
              }
              return 
      targetUrl;
          }
          
           private static 
      SavedRequest getSavedRequest(HttpServletRequest request) {
               
      HttpSession session request.getSession(false);
       
               if (
      session == null) {
                   return 
      null;
               }
       
               
      SavedRequest savedRequest = (SavedRequestsession.getAttribute(SPRING_SECURITY_SAVED_REQUEST_KEY);
       
               return 
      savedRequest;
            }
      ...... 
      Am I doing it wrong? What I want to accomplish is this. Every unsecured pages in the system has a login form, when the user login in any of the form, after succesfully loging in, the user will stay in that page with login form hidden. Also, when the user fails to login, the user will still remain in the page, with url appended with parameter as follows: ?error=1

      The problem with my code above is that, request.getRequestUrl() returns j_spring_security_check.

      Please advise.

      Thank you,
      marckun

      ps: the login form is an another jsp page imported in each unsecured page.

      Comment

      Working...
      X