2

I've got a Grails app that uses Spring Security Core with for authentication and authorization. The app's primary purpose is to provide a rest api that is secured with a token passed in via the Authorization header in each request. This token is generated outside of the grails app and there is no official "login" phase - each request is authenticated and authorized individually.

I've implemented my own authentication filter and provider which seem to work as far as token authentication goes. The problem is that for successful authentications the spring security core always redirects to a login success page (configured via successHandler.defaultTargetUrl) when I just want to silently continue with the original request like this:

  1. User requests /rest/foo
  2. Custom spring security filter matches the request and handles it. If the authorization header is good then /rest/foo is invoked (currently redirected to defaultTargetUrl), otherwise the user is forwarded to /error. (this last part works)

Looking at the source of AjaxAwareAuthenticationSuccessHandler which seems to be the culprit and I see that I can set the targetUrl by adding targetUrlParameter (defaults to 'spring-security-redirect) as a request param but this seems both ugly and needless. Is there any way to make this work as desired? I've considered implementing my own SuccessHandler... is that the correct solution? Do I have any other options?

EDIT: I gave the custom success handler a try by extending AjaxAwareAuthenticationSuccessHandler and overriding determineTargetUrl(request, response) and returning request.getServletPath(). This gets me past the initial problem but creates an infinite redirect loop, presumably due to a combination of me needing stateless authentication and DefaultRedirectStrategy redirecting to the destination instead of forwarding.

EDIT #2: Success! Using the code in this SOF thread I was able to get the custom AuthenticationSuccessHandler solution to work. For Grails users you'll also need to update resources.groovy like this:

authenticationSuccessHandler(com.foo.bar.YourSuccessHandler){}
Community
  • 1
  • 1
Nick
  • 8,181
  • 4
  • 38
  • 63

1 Answers1

2

Have you check Spring Security for Rest which is based on Spring Security Core.

Edit

changing the value for targetUrlParameter in the config.groovy is the way to go if you would want to change the default action.

Hubert
  • 169
  • 6
  • I have not but will take a look – Nick Jan 21 '14 at 16:20
  • I took a look and it's promising, but given that the first release appears to have been ~18 days ago and this is a security plugin, I'd still like to use the more mature Spring Security Core if possible. – Nick Jan 21 '14 at 17:39
  • re targetUrlParameter: I think that just lets you specify the name of the parameter that can be used to pass in a targetUrl. Even with that though,requiring a targetUrl param set to /rest/foo when the request is directed at /rest/foo feels ugly, or at least I've never seen another REST API that makes one do this. – Nick Jan 21 '14 at 19:46
  • Actually just got it working - updated my post above with the details. – Nick Jan 21 '14 at 20:36