18

Our app has a custom success handler for successful logins. It basically redirects them to the page they were on when their session expired.

We're moving to a Java config rather than a spring xml config. The rest of the config went very smoothly, but we can't find where to put the authentication-success-handler-ref attribute of the security:form-login tag.

<security:http auto-config='true'>
  ...
  <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
  <security:form-login login-page="/login" default-target-url="/sites"
                     authentication-failure-url="/login"
                     authentication-success-handler-ref="authenticationSuccessHandler"/>
 ...

Here's our config, so far.

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
       .authorizeRequests()
          .anyRequest().authenticated()
          .and()
        .formLogin()
          .loginPage("/login")
          .failureUrl("/login")
          .and()
        .logout()
          .permitAll()
          .and()
  }

Also, we can't find where to put default-target-url, but that is definitely less important.

Caveat, we're actually using Groovy, but the code is basically the same as a Java config.

geekonablog
  • 319
  • 1
  • 3
  • 14

2 Answers2

26

All settings can be done inside the global configure method. Add the following:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
          .anyRequest().authenticated()
          .and()
        .formLogin()
          .loginPage("/login")
          .defaultSuccessUrl("/sites")
          .failureUrl("/login")
          .successHandler(yourSuccessHandlerBean) // autowired or defined below
          .and()
        .logout()
          .permitAll()
          .and()
  }
Vaelyr
  • 2,841
  • 2
  • 21
  • 34
  • Just wanted to add that you can specify an alternative constructor which takes a boolean specifying if you always want to redirect to the specified URL after a succesful login - for example, defaultSuccessUrl("/sites", true). Note if this boolean is not specified, spring will instead redirect you to the url you were trying to access before being redirected to the authentication page. – mancini0 May 10 '15 at 23:13
  • What about remember-me authentication? How to handle it? – s1moner3d Jun 22 '16 at 13:46
3

You have to create bean extending SimpleUrlAuthenticationSuccessHandler or SavedRequestAwareAuthenticationSuccessHandler. For example:

@Bean
public SavedRequestAwareAuthenticationSuccessHandler successHandler() {
    SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
    successHandler.setTargetUrlParameter("/secure/");
    return successHandler;
}

Then you have to setup it on bean extending AbstractAuthenticationProcessingFilter:

UsernamePasswordAuthenticationFilter authenticationFilter = new UsernamePasswordAuthenticationFilter();
authenticationFilter.setAuthenticationSuccessHandler(successHandler());
Jakub Kubrynski
  • 13,724
  • 6
  • 60
  • 85
  • Trouble is, the AbstractAuthenticationProcessingFilter requires implementing the attemptAuthentication method which we might not want to do if we already have a custom authentication provider. – Stephane Nov 26 '14 at 23:48
  • 2
    FYI, The `successHandler.setTargetUrlParameter` is used to have SpringSecurity respond to a query parameter if the authentication is successful. So, you might have something like: `successHandler.setTargetUrlParameter("next");` and then, if the url was: `http://localhost:8080/login?next=/foo`, on successful authentication, the success handler would redirect to `/foo`. NOTE: Things might have changed since 2014, but since I found this in a google search, I thought I would provide this info. – afitnerd Jun 12 '16 at 18:50