Spring Security authenticationSuccessHandler and j_security_check

Question

I am having an issue that is very strange to me so maybe someone can help. Inside my security.xml I have this:

<http auto-config="true">
    <intercept-url pattern="/app/admin/**" access="ROLE_ADMIN"/>
    <intercept-url pattern="/app/**" access="ROLE_ADMIN,ROLE_USER"/>
    <form-login login-page="/login" authentication-failure-url="/login?error=true" login-processing-url="/j_security_check" authentication-success-handler-ref="authSuccessHandler"/>
    <remember-me user-service-ref="userDao" key="e37f4b31-0c45-11dd-bd0b-0800200c9a66" authentication-success-handler-ref="authSuccessHandler"/>
</http>

Everything was working fine until I added: authentication-success-handler-ref="authSuccessHandler", which is simple and looks like this:

        @Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
    logger.info("authenticated");
    User user = userManager.getUserByUsername(request.getRemoteUser());
    Hibernate.initialize(user.getMessagesList());
    request.getSession(true).setAttribute("userMessages", user.getMessagesList());
}

Now that all works completely fine, the issue now is that on every login or rememberMe login the first page accessed is ALWAYS blank no matter the url. And on a normal login the page that comes up blank is /j_security_check so it seems like something is not getting processed because of my success handler, as expected when removing the handler everything works fine. Am I missing something here? please help me out.

score 4 · Accepted Answer · answered Dec 17 '13 at 06:55

4

Normally when you don't explicitly configure an AuthenticationSuccessHandler spring configures a SavedRequestAwareAuthenticationSuccessHandler for you for handling the success case. What it does is after successful authentication sends the user to the initially requested URL (or when specified and forced to the default page specified in the configuration).

Your custom implementation does no such thing it only sets something on the session and is done, it doesn't send anything back to the client. What you probably want is to extend the SavedRequestAwareAuthenticationSuccessHandler do your thing and then call super.onAuthenticationSuccess

answered Dec 17 '13 at 06:55

M. Deinum

115,695
22
220
224

Thanks a ton that was exactly the problem. I did have to switch to: SecurityContextHolder.getContext().getAuthentication().getName() instead of request.getRemoteUser() since that did not work with the j_security_check login but everything is working as it should now! – Dustin Dec 17 '13 at 09:36
1

The spring security integation works only after the `SecurityContextHolderAwareRequestFilter` has done its job. This filter is executed after the filter that handles the form-login. So indeed `request.getRemoteUser()` doesn't work yet. – M. Deinum Dec 17 '13 at 10:55

Spring Security authenticationSuccessHandler and j_security_check

1 Answers1