Announcement Announcement Module
Collapse
No announcement yet.
Session-management breaks always-use-default-target=false? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Session-management breaks always-use-default-target=false?

    I'm using Spring Security 3.0.5 with the namespace configuration elements. My "form-login" element looks like this:

    Code:
    <form-login
        login-page="/login" 
        default-target-url="/search" 
        always-use-default-target="false"
        authentication-failure-url="/login?auth_failure" />
    This works as expected; if a user tries to access a protected URL (like /admin), they're asked to login first, and after login they are automatically taken to the page they originally requested.

    However, if I add the "session-management" element to my configuration file, like this:

    Code:
    <session-management invalid-session-url="/login?timeout" />
    the behavior described above breaks. After a user session times out, the user correctly see the login page (with a timeout message because of the included ?timeout parameter). But when they log in from this page, they are no longer taken to the URL they originally requested (like /admin). Instead, they are always sent to the URL specified in default-target-url (in this case, /search). It's as if the always-use-default-target attribute in the form-login element is being ignored, or set to "true."

    Is this by design? Or is there something about the session-management element that is causing the "target URL to forward to" to be lost?

    Is there any way I can use both the session-management element (to handle timeouts a particular way), and also still make use of the feature that sends users to the page they originally requested after a login?

    Thanks for your help...
Working...
X