Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

remember-me and authentication-success-handler

Tags:

spring

spring-security

i have strange issue of for login sucess and redirect to page.

below is my spring security configuration. 

<http auto-config="true" use-expressions="true">
    <intercept-url pattern="/login.hst**" access="anonymous or authenticated" />
    <intercept-url pattern="/**/*.hst" access="authenticated" />
    <form-login login-page="/login.hst"
        authentication-failure-url="/login.hst?error=true"
        authentication-success-handler-ref="loginSucessHandler" />
    <logout invalidate-session="true" logout-success-url="/home.hst"
        logout-url="/logout.hst" />
    <remember-me key="jbcpHaverERP" authentication-success-handler-ref="loginSucessHandler"/>
    <session-management>
    <concurrency-control max-sessions="1" />
</session-management>
</http>

LoginSuessHandler class:

@Service
public class LoginSucessHandler extends
        SavedRequestAwareAuthenticationSuccessHandler {

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request,
            HttpServletResponse response, Authentication authentication)
            throws ServletException, IOException {
            ...
        super.setUseReferer(true);
        super.onAuthenticationSuccess(request, response, authentication);
    }

}

now problem of redirect to requested page on success. if i directly refer to any secure url spring redirects me to login page and on successful login to original requested link. but this is not working in case if user had earlier selected remember-me and then closing browser and now requesting direct URL, he is being properly authenticated but instead of redirecting him to requested page spring redirects to /. i have checked log and some spring source code and found it is not able to determine target url.

i have tried to set refer but referer value is null. but one strange thing i have noticed that in spring security configuration if i remove authentication-success-handler from remember-me configuration then it works. 

    <remember-me key="jbcpHaverERP" authentication-success-handler-ref="loginSucessHandler"/>

not able to figure out issue. is authentication-success-handler implementation requied to be different for form login and remember-me?

like image 895
Jigar Parekh Avatar asked Jul 20 '12 08:07

Jigar Parekh

Video Answer

2 Answers

Remember-me differs from form-login in that authentication occurs during the actual request the user makes. For form-login, the user must first be redirected to the login page, submit the login form and after that they are redirected to the original target (which is usually cached in the session). So form-login requires a redirect, whereas remember-me doesn't. With a remember-me request, the user can be authenticated, and the request allowed to proceed without any intervention.

The primary purpose of an AuthenticationSuccessHandler is to control the navigation flow after authentication, so you wouldn't normally use one with remember-me at all. Using SavedRequestAwareAuthenticationSuccessHandler isn't a good idea, as there won't be a saved request available. If there is no saved request, then by default it will perform a redirect to "/" as you have observed.

If all you want is to add some functionality during a remember-me login, then you can implement the AuthenticationSuccessHandler interface directly without performing a redirect or a forward. As I explained above, you can't use the same implementation for form-login, since the current request is the submission of the login form (usually to the URL j_spring_security_check), and not a request to a URL within your application. So you need a redirect for form-login.

like image 171
Shaun the Sheep Avatar answered Sep 23 '22 05:09

Shaun the Sheep

You would rather use ApplicationListener and look for the event InteractiveAuthenticationSuccessEvent.

InteractiveAuthenticationSuccessEvent has a property generatedBy which will be the filter, ie UsernamePasswordAuthenticationFilter (form logins) and RememberMeAuthenticationFilter (remeber me logins)

@Component
class AuthenticationApplicationListener implements ApplicationListener<InteractiveAuthenticationSuccessEvent> {

  @Override
  void onApplicationEvent(InteractiveAuthenticationSuccessEvent event) {
    //do something
  }

}

using a custom implementation of AuthenticationSuccessHandler on rememberMe will cause problems. Take a look at the flow in RememberMeAuthenticationFilter. if the successHandler is used, the filter chain is bypassed

like image 23
kabal Avatar answered Sep 24 '22 05:09

kabal
Sign in to Comment

Related questions

Basic Spring MVC config: PageNotFound using InternalResourceViewResolver
How to handle RESTful delete in Spring MVC
why spring handles only unchecked exceptions
Spring Boot Actuator Not Working
Intercept @RequestHeader exception for missing header
How to write a custom CrudRepository method(@Query) to filter the result in my case
Thymeleaf get current locale
Please use 'MongoMappingContext#setAutoIndexCreation(boolean)' or override 'MongoConfigurationSupport#autoIndexCreation()' to be explicit
SpringCloud 2020.0.2 upgrade generates testing error
Spring Security Authentication using RestTemplate
Queue Size in Spring AMQP Java client
Spring 3.2: Filtering Jackson JSON output based on Spring Security role
Bind UUID in Spring MVC
Unable to locate Spring NamespaceHandler for XML schema namespace [http://www.springframework.org/schema/tx]
Enable HAL serialization in Spring Boot for custom controller method
Could not load JDBC driver class [com.mysql.jdbc.Driver]
How to call a service method with Thymeleaf
Can I exclude fields from lomboks @Data annotation?
How to get command Line arguments in spring boot?
Sharing an application context between two WARs?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!