Announcement Announcement Module
Collapse
No announcement yet.
Callback to client redirect url when user cancel login Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Callback to client redirect url when user cancel login

    Hi,

    As subject, i want to ask whether i can implement callback to client redirect url when user press cancel login in the login page?

    Thanks in advance
    Dimas

  • #2
    That's an interesting use case, and while it feels very Spring Security, it has OAuth overtones because we know that a redirect_uri is going to be available in an OAuth flow. Spring Security has the AuthenticationEntryPoint responisble for redirects after authentication failure. You would need one of those, and an off the shelf one might work if you use it to forward to an endpoint that can extract the redirect_uri from the original cached request to /oauth/authorize.

    Comment


    • #3
      Thanks Dave,

      I have extends GenericFilterBean, in change the custom-filter in the configuration :

      <custom-filter position="ANONYMOUS_FILTER" ref="customFilter" />

      <!-- custom filter -->
      <bean id="customFilter" class="spring.security.oauth.authenticate.MyCustom Filter" />

      and in the code :

      public void doFilter(ServletRequest req, ServletResponse resp,
      FilterChain chain) throws IOException, ServletException {

      // get client redirect_url //
      String client_redirect_url = req.getAttribute("redirect_url").toString();

      HttpServletResponse response = ((HttpServletResponse) resp);
      HttpServletRequest request = ((HttpServletRequest) req);


      chain.doFilter(request, response);
      }

      it's working, i can get the redirect_url parameter that pass to the login page if the user not yet authenticate. But i don't know whether it wise, if i store the value into session or pass it through chain filter chain or maybe there is other way to pass it to my login page.

      Comment


      • #4
        I'm not really sure how that would work as you've sketched it (who is going to populate that request attribute for you?), but if it works for you I don't see anything wrong. I suppose you could validate the url to ensure that it is a registered redirect for the client in question, but probably that isn't strictly necessary for security purposes, since the user is not authenticated yet.

        The Cancel button you were describing is entirely under your control, so in principle you can send any data you want to your own endpoint. If you know how to find the redirect_uri from the request to /oauth/authorize (I'd expect it to be a query parameter), then you can pull it out in an AuthenticationEntryPoint and send it to your login page, which then can render it as a query parameter for the action on the Cancel button.

        Comment


        • #5
          Thanks Dave,

          The Flow, is like this :
          1. Client access to /oauth/authorize using query params :
          http://localhost:8080/myOauth/oauth/...ope=scope_read

          2. Spring Security validate the request whether the client has been authenticated or not.
          3. If the client is not authenticated, so the client will be granted as anonymous
          4. In my spring-servlet.xml, i have configuration like this :

          <http access-denied-page="/exception_page/access_denied" xmlns="http://www.springframework.org/schema/security">
          <intercept-url pattern="/oauth/authorize" access="IS_AUTHENTICATED_ANONYMOUSLY" />
          <intercept-url pattern="/oauth/**" access="ROLE_USER" />
          <form-login authentication-failure-url="/home_login" default-target-url="/home_login" login-page="/home_login"
          login-processing-url="/user_login" />
          <logout logout-success-url="/user_logout" logout-url="/user_logout" delete-cookies="JSESSIONID"/>
          <custom-filter position="ANONYMOUS_FILTER" ref="customFilter" />
          <anonymous enabled="false"/>
          </http>

          <!-- custom filter -->
          <bean id="customFilter" class="spring.security.oauth.authenticate.MyCustom Filter" />

          so, anonymous access will be handle by my customFilter, and in mycustomFilter i intercept the query_param that is send by client (redirect_url).

          <custom-filter position="ANONYMOUS_FILTER" ref="customFilter" />


          This is my existing configuration, but i don't know whether it is good solution or there is another way..

          Thank You
          Dimas

          Comment

          Working...
          X