Spring Security 3.1.3 request querystring stripped

Question

I am securing my application using Spring Security 3.1.3 and I have a requirement to allow users to login via a link in a third-party application.

However, the link in the third-party application will redirect to a specific resource and not to the login page, where the resource that the user wishes to access will be defined as a querystring parameter. So, for example, the link would be of the form :
//server.com/app/build/panel.jsp?resourceid='blah'

When a user clicks this link they should be taken to the login page defined in my Spring Security configuration and if authenticated then should be redirected to the original link including the querystring parameter. The querystring parameter has no influence on how the user should be authenticated it's merely an id of resource.

Now, this all works fine apart from the querystring, which gets stripped by Spring Security before it enters the request processing flow.

This is shown in the debug output from Spring Security;

org.springframework.security.web.savedrequest.HttpSessionRequestCache: DefaultSavedRequest added to Session: DefaultSavedRequest[http://server.com:8080/app/build/panel.jsp]

ie, the querystring is not saved and resourceid='blah' has been removed.

Note, I'm currently using Ant matching. I have no need to actually match against the querystring.

In earlier versions of Spring Security, it seemed like you could influence this behaviour by using a BeanPostProcessor as per this post, Spring Security - Url with request parameters rules ignored. But the method DefaultFilterInvocationSecurityMetadataSource.setStripQueryStringFromUrls() has been removed from Spring Security 3.1.3.

How do I configure Spring Security to not strip the querystring from the original request? So that when the user is redirected after the login to the original URL the querystring parameter will be retained?

Many Thanks Howard

Answer 1

U can get it from SuccessHandler

SecurityConfiguration class

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
SuccessHandler getSuccessHandler;

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()

    .antMatchers("/dashboard/**",               
            "/feedback/**"
            ).access("hasRole('ROLE_SYSTEM_ADMIN') or hasRole('ROLE_COMPANY_ADMIN')")

    .and().formLogin().loginPage("/login").successHandler(getSuccessHandler)
    .loginProcessingUrl("/login").usernameParameter("ssoId").passwordParameter("password")      
    .and().csrf()
    .and().exceptionHandling().accessDeniedPage("/Access_Denied")
    .and()
    .sessionManagement().invalidSessionUrl("/login").maximumSessions(1).expiredUrl("/login").and().sessionAuthenticationErrorUrl("/login").sessionFixation().migrateSession()
    .sessionCreationPolicy(SessionCreationPolicy.ALWAYS); //always, IF_REQUIRED,never ,stateless    

    http.logout()
    .logoutUrl("/logout")
    .logoutSuccessUrl("/login")
    .invalidateHttpSession(true)
    .permitAll();
}

 @Override
  public void configure(WebSecurity web) throws Exception {
    web
    .ignoring()     
    .antMatchers("/static/**")
    .antMatchers("/images/**");       
     }
}

SuccessHandler class

@Component
public class SuccessHandler implements AuthenticationSuccessHandler {


@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
    Authentication authentication) throws IOException, ServletException {

    HttpSession session = request.getSession();
    response.sendRedirect(request.getContextPath() + "/dashboard/index");
}
}