Announcement Announcement Module
Collapse
No announcement yet.
HTTP Redirect (302) to login loses Referer Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • HTTP Redirect (302) to login loses Referer

    Hi all,

    I'm having some trouble getting the target URL resulting from a successful login (using SimpleUrlAuthenticationSuccessHandler) to be the originally requested resource.

    So, desired outcome is:

    1. User requests "secure" path without authenticating
    2. User is redirected to login page
    3. User successfully authenticates and is taken to path requested in step 1.

    Actual outcome:

    1. User requests "secure" path without authenticating
    2. User is redirected to login page
    3. User successfully authenticates and is taken to defaultTargetUrl

    I have tried setting alwaysUseDefaultTargetUrl=false:

    Code:
    // Snippet
    ...
    <bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
    	<property name="defaultTargetUrl" value="/struts/secure.home.action"/>
    	<property name="alwaysUseDefaultTargetUrl" value="false"/>
    	
    </bean>
    ...
    No joy. I also tried manually setting a target location in the login form, using:

    Code:
    <property name="targetUrlParameter" value="location"/>
    Where "location" is a hidden field in login into which I write the "Referer" http header.

    Here's where things go pear shaped. The HTTP GET request issued by the browser (Firefox) does NOT contain a Referer header.

    So the HTTP sequence seems correct:

    1. Client sends GET for secure path
    2. Server sends 302 (redirect) to login page
    3. Client sends GET for login page <-- Fail here

    The GET for the login page does not contain a Referer header.. so obviously setting it in the form is not going to work, and I'm guessing that's why the out-of-the-box config fails too.

    I have verified that I don't have any crufty configs in the browser (about:config), and I get the same behavior in Chrome (although I can't see the actual headers, I'm assuming the same problem).

    Anyone seen this before? From what I've read the http GET sent after a 302 "should" have the referer (?)

    I'm on Windoze 7.. maybe it's a funky "security feature"?

    Thanks.

  • #2
    ok.. so aside from being a moron... I do actually now have a legitimate issue..

    My original post is incorrect as there will not be a Referer unless the original request was as a result of a hyperlink. That is, just typing the URL into the browser does not qualify as a "reference".

    That said.. it's still not working, and I'm a bit confused by how it's supposed to:

    Let's say I have a link on page "A", that links to a secure resource "B" within my web app.

    SS will redirect the requester to the login page, at which point the Referer will be page "A". At no point does page B become the Referer, so it's a bit unclear to me how SS is supposed to be able to redirect to page "B" after successful login.

    Clearly this works, as I've seen it done.. I must be missing something in my config somewhere...

    Comment


    • #3
      Use a SavedRequestAwareAuthenticationSuccessHandler (which is the default with a namespace setup).

      http://static.springsource.org/sprin...-flow-handling

      Comment


      • #4
        mmm.. rtfm (me)

        Thanks.

        Comment

        Working...
        X