I've noticed that there are a couple of questions asking about this topic. I looked through them and I was unable to apply them to my specific Spring setup. I would like to configure my login redirect to be conditional, based on the user's role. This is what I have so far:
<http auto-config="true" use-expressions="true">
<custom-filter ref="filterSecurityInterceptor" before="FILTER_SECURITY_INTERCEPTOR"/>
<access-denied-handler ref="accessDeniedHandler"/>
<form-login
login-page="/login"
default-target-url="/admin/index"
authentication-failure-url="/index?error=true"
/>
<logout logout-success-url="/index" invalidate-session="true"/>
</http>
I thought this question might be in the same line as what I'm trying to do. Anyone know how I can apply it though?
EDIT 1
<bean id="authenticationProcessingFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationSuccessHandler" ref="authenticationSuccessHandler"/>
</bean>
<bean id="authenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/login.jsp"/>
</bean>
EDIT 2
Currently I do not have a class like public class Test implements AuthenticationSuccessHandler {}
as shown in this example.
The default URL where the Spring Login will POST to trigger the authentication process is /login, which used to be /j_spring_security_check before Spring Security 4.
The UsernamePasswordAuthenticationToken is an implementation of interface Authentication which extends the interface Principal . Principal is defined in the JSE java. security . UsernamePasswordAuthenticationToken is a concept in Spring Security which implements the Principal interface.
When using Java configuration, the way to define multiple security realms is to have multiple @Configuration classes that extend the WebSecurityConfigurerAdapter base class – each with its own security configuration. These classes can be static and placed inside the main config.
I have tested the code and it works, there's no rocket science in it
public class MySuccessHandler implements AuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication authentication)
throws IOException, ServletException {
Set<String> roles = AuthorityUtils.authorityListToSet(authentication.getAuthorities());
if (roles.contains("ROLE_ADMIN")){
response.sendRedirect("/Admin.html");
return;
}
response.sendRedirect("/User.html");
}
}
Changes in your security context:
<bean id="mySuccessHandler" class="my.domain.MySuccessHandler">
</bean>
<security:form-login ... authentication-success-handler-ref="mySuccessHandler"/>
update if you want to use default-target-url
approach, it will work equally well, but will be triggered when your user first accesses the login page:
<security:form-login default-target-url="/welcome.htm" />
@Controller
public class WelcomeController {
@RequestMapping(value = "/welcome.htm")
protected View welcome() {
Set<String> roles = AuthorityUtils
.authorityListToSet(SecurityContextHolder.getContext()
.getAuthentication().getAuthorities());
if (roles.contains("ROLE_ADMIN")) {
return new RedirectView("Admin.htm");
}
return new RedirectView("User.htm");
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With