Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is it possible to allow access to a page only through redirection?

Tags:

java

spring

spring-security

thymeleaf

I'm working on an application using Spring Boot and Thymeleaf.

I have the following snippet in my custom login page:

<p th:if="${param.logout}">Logged out successfully</p>

This paragraph is associated with the following security config:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
            .antMatchers("/", "*.css").permitAll()
            .antMatchers("/myendpoint").authenticated()
            .and()
            .formLogin().loginPage("/login").permitAll()
            .and()
            .logout()
                .logoutUrl("/logout")
                .logoutSuccessUrl("/login?logout")
                .permitAll();
}

So after a logout the user is redirected to /login?logout and the logout message is shown.

My problem is this message is also shown when the user explicitly navigates to /login?logout by simply writing http://myserver:8080/login?logout into the browser.

Is it possible to prevent the user from directly accessing /login?logout (and thus show the message only when an actual logout happens)?

like image 684
justanoob Avatar asked Nov 08 '22 07:11

justanoob

1 Answers

After some research i came up with using RedirectAttributes and addFlashAttribute() to pass data to my login page on a logout.

So instead of setting logout as a query param, i removed Spring's default logout handling from my security config:

http
    .authorizeRequests()
    .antMatchers("/", "*.css").permitAll()
    .antMatchers("/myendpoint").authenticated()
    .and()
    .formLogin().loginPage("/login").permitAll();

And created the following custom logout endpoint in my controller:

@PostMapping("/logout-user")
public String logout(HttpServletRequest request, RedirectAttributes attrs) {
    new SecurityContextLogoutHandler().logout(request, null, null);

    // this attribute will be received in /login
    attrs.addFlashAttribute("logout", true);

    return "redirect:/login";
}

So i send my logout request to this endpoint and check for the logout attribute in /login, to show the logout message when appropriate:

<p th:if="${logout}">Logged out successfully</p>

It seems to be working flawlessly.

like image 175
justanoob Avatar answered Nov 14 '22 23:11

justanoob
Sign in to Comment

Related questions

Step builder pattern using delegation and enums?
Mock Apache HTTPClient with ResponseHandler in Mockito
Why don't the two equal strings match?
Do array(or ArrayList) and LinkedList perform the same when iterating? [duplicate]
How to implement TvView on Android TV?
Overriding Kotlin method with generic parameter in java - method clash
FileNotFoundException: class path resource ***/GlobalAuthenticationConfigurerAdapter.class] cannot be opened because it does not exist
How to create Spock Spy with private property
how to encrypt and decrypt data between php and android
Dynamic priorities for a heterogeneous task set
HBase PrivilegedExceptionAction runAs thread?
run java code on docker
JSON-B REST payload validation
Cannot receive messages through firebase after server reset
Java8 Supplier interface to provide the proper typed instance
Using retrofit2 and RxAndroid to get response from Spring WebFlux
Compile single class with jaotc of Java 10
How to cater the list of scheduled time in an Alarm Manager to push notifications
IntelliJ: Build > Rebuild Project menu item versus Maven clean install
Apache Commons CLI: replacement for deprecated OptionBuilder?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!