java - define authentication-failure-url to be `{currentpage}?login_error=1`? -
java - define authentication-failure-url to be `{currentpage}?login_error=1`? -
i using spring mvc, spring security , apache tiles. have login div appears in every page (in case user not authenticated yet). configuration:
<http use-expressions="true"> <intercept-url pattern="/index.jsp" access="permitall" /> <intercept-url pattern="/registration.html" access="permitall" /> <intercept-url pattern="/about.html" access="permitall" /> <intercept-url pattern="/search.html" access="permitall" /> <intercept-url pattern="/login.html" access="permitall" /> <intercept-url pattern="/logout.html" access="permitall" /> <intercept-url pattern="/post.html" access="hasanyrole('user')" /> <intercept-url pattern="/**" access="denyall" /> <form-login default-target-url='/search.html' authentication-failure-url="/login.html?login_error=1" /> <logout logout-success-url="/logout.html" /> </http> the problem is: assume user enters search.html , enters invalid login details. user redirect /login.html?login_error=1 instead of redirecting search.html?login_error=1. how can define authentication-failure-url {currentpage}?login_error=1 ?
you need customize simpleurlauthenticationfailurehandler bit, illustration new redirectstrategy.
before starting: should have @ source of classes understand do:
usernamepasswordauthenticationfilter , super class abstractauthenticationprocessingfilter -- filter triggers authentication simpleurlauthenticationfailurehandler -- responsible if authentication required (it invoked `simpleurlauthenticationfailurehandler). defaultredirectstrategy -- used simpleurlauthenticationfailurehandler redirct. formloginbeandefinitionparser -- parses xml security:form-login element -- should read understand how beans created , referenced!! you should write own redirectstrategy, lets phone call myappendparameterredirectstrategy (may have first @ defaultredirectstrategy). needs 1 method: void sendredirect(httpservletrequest request, httpservletresponse response, string url). @ to the lowest degree should same defaultredirectstrategy instead of returning (login) url in calculateredirecturl should calculate url stripparams(getrequesturl()) + "?login_error=1"
import java.io.ioexception; import javax.servlet.http.httpservletrequest; import javax.servlet.http.httpservletresponse; import org.apache.commons.lang.stringutils; import org.springframework.security.web.redirectstrategy; public class myappendparameterredirectstrategy implements redirectstrategy { @override public void sendredirect(final httpservletrequest request, final httpservletresponse response, final string url) throws ioexception { string redirecturl = calculateredirecturl(request.getrequesturl().tostring()); redirecturl = response.encoderedirecturl(redirecturl); response.sendredirect(redirecturl); } private string calculateredirecturl(final string requesturl) { //attention parameter striping proof of concept! homecoming stringutils.substringbeforelast(requesturl, "?") + "?login_error=1"; } } the sec part need alter spring configuration (therefore should read classes mentioned about) think configuration should (but not have tested it):
<security:form-login login-processing-url="/login/j_spring_security_check" login-page="/login" authentication-failure-handler-ref="simpleurlauthenticationfailurehandler"/> <bean id="simpleurlauthenticationfailurehandler" class="org.springframework.security.web.authentication.simpleurlauthenticationfailurehandler"> <property="defaultfailureurl" value="notnullbutwedonotuseit" /> <property="redirectstrategy"> <bean class="myappendparameterredirectstrategy"/> </property> </bean> java spring spring-mvc spring-security
Comments
Post a Comment