Announcement Announcement Module
No announcement yet.
Redirecting to original page upon authentication failure Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Redirecting to original page upon authentication failure

    My web app has a login dialog box on every webpage. When a user logs successfully, I simply redirect back to the original webpage by passing a hidden variable to spring's security_check servlet:
    <input type="hidden" name="spring-security-redirect" value="/original_webpage_logged_in_from"/>
    Works great. Problem is when the login is unsuccessful, maybe a bad password. Then the user is redirected to the default authentication failure page defined in the <form-login> configuration (/login?error=credentials):
    <form-login login-page="/login" authentication-failure-url="/login?error=credentials" default-target-url="/account" login-processing-url="/security_check"/>
    I want the user redirected back to the original webpage where I'll pop up the same login dialog box again with an error message.

    What's the proper way to do this?

  • #2
    Is the right way to do this to implement the RedirectStrategy interface and create a SimpleUrlAuthenticationFailureHandler bean referencing it?

    <beans:bean id="simpleUrlAuthenticationFailureHandler" class="">
        <beans:property name="redirectStrategy" ref="backToReferrer"/>
    <beans:bean id="backToReferrer" class="com.example.RedirectStrategyBackToReferrer"/>
    And then the class:
    public class RedirectStrategyBackToReferrer implements RedirectStrategy {
        public void sendRedirect(HttpServletRequest request, HttpServletResponse response, String url) {
    Make sense? Was this the purpose of SimpleUrlAuthenticationFailureHandler and RedirectStrategy?


    • #3
      The AuthenticationFailureHandler is intended to control the navigation flow for a failed authentication (see the manual). You can just implement this directly.

      You don't need to use a custom RedirectStrategy (or indeed any RedirectStrategy) unless you have specific requirements to cope with proxies etc.

      The strategies are there to provide maximum flexibility in achieving what you want. Their purpose isn't really set in stone.