Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Moving Spring Security To Java Config, where does authentication-success-handler-ref go?

Our app has a custom success handler for successful logins. It basically redirects them to the page they were on when their session expired.

We're moving to a Java config rather than a spring xml config. The rest of the config went very smoothly, but we can't find where to put the authentication-success-handler-ref attribute of the security:form-login tag.

<security:http auto-config='true'>
  ...
  <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
  <security:form-login login-page="/login" default-target-url="/sites"
                     authentication-failure-url="/login"
                     authentication-success-handler-ref="authenticationSuccessHandler"/>
 ...

Here's our config, so far.

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
       .authorizeRequests()
          .anyRequest().authenticated()
          .and()
        .formLogin()
          .loginPage("/login")
          .failureUrl("/login")
          .and()
        .logout()
          .permitAll()
          .and()
  }

Also, we can't find where to put default-target-url, but that is definitely less important.

Caveat, we're actually using Groovy, but the code is basically the same as a Java config.

like image 276
geekonablog Avatar asked Jan 13 '14 17:01

geekonablog


People also ask

What is permitAll in Spring Security?

Setting up an <intercept-url> element with access=”permitAll” will configure the authorization so that all requests are allowed on that particular path: <intercept-url pattern="/login*" access="permitAll" /> Or, via Java configuration: http. authorizeRequests(). antMatchers("/login*").

What is antMatchers Spring Security?

The antMatchers() is a Springboot HTTP method used to configure the URL paths from which the Springboot application security should permit requests based on the user's roles. The antmatchers() method is an overloaded method that receives both the HTTP request methods and the specific URLs as its arguments.


2 Answers

All settings can be done inside the global configure method. Add the following:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
          .anyRequest().authenticated()
          .and()
        .formLogin()
          .loginPage("/login")
          .defaultSuccessUrl("/sites")
          .failureUrl("/login")
          .successHandler(yourSuccessHandlerBean) // autowired or defined below
          .and()
        .logout()
          .permitAll()
          .and()
  }
like image 168
Vaelyr Avatar answered Sep 19 '22 10:09

Vaelyr


You have to create bean extending SimpleUrlAuthenticationSuccessHandler or SavedRequestAwareAuthenticationSuccessHandler. For example:

@Bean
public SavedRequestAwareAuthenticationSuccessHandler successHandler() {
    SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
    successHandler.setTargetUrlParameter("/secure/");
    return successHandler;
}

Then you have to setup it on bean extending AbstractAuthenticationProcessingFilter:

UsernamePasswordAuthenticationFilter authenticationFilter = new UsernamePasswordAuthenticationFilter();
authenticationFilter.setAuthenticationSuccessHandler(successHandler());
like image 40
Jakub Kubrynski Avatar answered Sep 20 '22 10:09

Jakub Kubrynski