1

I am trying to redirect to a specific page by using my select option after login but i can not seem to get in right. i have a select option and a login box on one form. The select box is supposed to redirect to a specified page but it doesn't get redirected after login , even though i requested it to.

Login Page

<form class="myform" th:action="@{/login}" th:object="${user}" method="post">
        <div th:replace="common/layout :: flash"></div>
        <div class="form-group">
            <select th:field="*{cert}" class="form-control input-lg" id="selectEl" >
                <option value="" >[Select Program Type]</option>
                <option th:each="program : ${programs}" th:value="${program.values}" th:text="${program.name}" >Certificate programs</option>
            </select>
        </div>
        <div>
            <div class="input-group input-group-lg">
                <span class="input-group-addon" id="sizing-addon1">@</span>
                <input type="text" class="form-control" placeholder="LoginID" th:field="*{username}" aria-describedby="sizing-addon1" />
            </div>
        </div>
           <div class="form-group">
            <div class="input-group input-group-lg">
                <span class="input-group-addon form-wrapper" id="sizing-addon2">@</span>
                <input type="password" class="form-control showpassword" placeholder="Pin" th:field="*{password}"  aria-describedby="sizing-addon1"  />
                <span class="input-group-btn">
                <button class="btn btn-default toggle" type="button">Show Pin</button>
                </span>
            </div>
        </div>
        <div>
            <label>
                <input type="checkbox" value="1" id="checkbox" /> <p class="login-caution">I have carefully read all instructions as well as programme requirements in the Admission Brochure and i here my accept any responsibility for any omission(s) or error(s) on my submitted form.</p>
            </label>
        </div>
        <button type="submit" id="btnCheck" class="btn btn-primary btn-lg btn-block">Login</button>
    </form>

Login Controller

@RequestMapping(path = "/login", method = RequestMethod.GET)
    public String loginForm(Model model, HttpServletRequest request) {
        model.addAttribute("user", new User());
        if (request != null) {
            DefaultSavedRequest savedRequest=(DefaultSavedRequest) request.getSession().getAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY");
            if (savedRequest != null) {
                model.addAttribute("redirectUrl", savedRequest.getRedirectUrl());
                return savedRequest.getRedirectUrl();
            }
        }
        model.addAttribute("programs", Program.values());
        try {
            Object flash = request.getSession().getAttribute("flash");
            model.addAttribute("flash", flash);

            request.getSession().removeAttribute("flash");
        } catch (Exception ex) {
            // "flash" session attribute must not exist...do nothing and proceed normally
        }
       return "login";
    }

Security Config

 @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                    .anyRequest().hasRole("USER")
                    .and()
                .formLogin()
                    .loginPage("/login")
                    .permitAll()
                    .successHandler(loginSuccessHandler())
                    .failureHandler(loginFailureHandler())
                    .and()
                .logout()
                .permitAll()
                .logoutSuccessUrl("/login").deleteCookies("JSESSIONID").logoutSuccessUrl("/");
    }

    public AuthenticationSuccessHandler loginSuccessHandler() {
        //return (request, response, authentication) -> response.sendRedirect("/");
        return (request, response, authentication)-> {
            response.sendRedirect("/");
        };
    }

    public AuthenticationFailureHandler loginFailureHandler() {
        return (request, response, exception) -> {
            request.getSession().setAttribute("flash", new FlashMessage("Incorrect username and/or password. Please try again.", FlashMessage.Status.FAILURE));
            //request.removeAttribute("username");
            response.sendRedirect("/login");
        };
    }

    @Bean
    public EvaluationContextExtension securityExtension(){
        return new EvaluationContextExtensionSupport() {
            @Override
            public String getExtensionId() {
                return "security";
            }

            @Override
            public Object getRootObject() {
                Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
                return new SecurityExpressionRoot(authentication) {};
            }
        };
    }
Arthur Decker
  • 1,191
  • 3
  • 15
  • 45

2 Answers2

2

It seems that you always redirect the user to the root page, as you define it in the AuthenticationSuccessHandler.

If you want to redirect your users to a specific page, I would suggest you append a "redirectUrl=http://xxxx.com" as a query string parameter in the url. In your AuthenticationSuccessHandler, you can have something like, 

public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {

    String queryString = request.getQueryString();
    if(queryString == null) {
        response.setStatus(200);
    } else if(!queryString.contains("redirectUrl=")) {
        response.sendRedirect("/");
    } else {
        queryString = URLDecoder.decode(queryString.replace("url=", ""), "utf-8");            
        response.sendRedirect(queryString);            
    }
}
Simon
  • 629
  • 3
  • 8
  • hi @simon is it better to use request.getQueryString or request.getParameter()? Also is it better to use request.getRequestDispathcer instead of request.sendRequest http://stackoverflow.com/questions/20371220/what-is-the-difference-between-response-sendredirect-and-request-getrequestdis – Arthur Decker Mar 01 '17 at 09:51
  • Hi @simon the script if(!queryString.contains("redirectUrl=")) { response.sendRedirect("/");} keeps downloading a login file. – Arthur Decker Mar 01 '17 at 12:34
  • @ARTHURDECKER the code here is copied from my CAS server application, it redirects users to different domains, so I have used redirect here. In your case, I think request.getRequestDispathcer would be better. Also for the query string, originally the query string is processed and appended to some url, that's why I have used request.getQueryString(). If you only want to get the redirect url, you are right, getParameter should be better. – Simon Mar 02 '17 at 03:25
  • Is there a circular redirection happening here? so it requests the log in page, if not, maybe try to open the url directly and see if that works. Since the cookie is shared with tabs, the login should also work in a different tab. – Simon Mar 02 '17 at 03:29
1

I manage to solve it, this is the final config

@Configuration
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {

    // roles admin allow to access /admin/**
    // roles user allow to access /user/**
    // custom 403 access denied handler
    // @formatter:off
    @Override
    protected void configure(HttpSecurity http) throws Exception {

        // @formatter:off
//      http.formLogin().defaultSuccessUrl("/usersList", true);

        // @formatter:off
        http.csrf().disable()
            .authorizeRequests()
            .antMatchers("/login*").permitAll()
            .antMatchers("/","/userList")
            .permitAll().anyRequest().authenticated()
            .and()
            .formLogin()
                .loginPage("/login").permitAll()
                .defaultSuccessUrl("/usersList", true)
                    .successHandler(new AuthenticationSuccessHandler() {
                    @Override
                    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
                            Authentication authentication) throws IOException, ServletException {
                        System.out.println("enter here: ");
                        System.out.println("session: " +  request.getSession());
                        response.sendRedirect("/userList");

                        request.getSession().setMaxInactiveInterval(60);
                        
                        System.out.print("session expired");
                        
                    }
                })
                .and()
                .logout().permitAll();

        http.headers().frameOptions().disable();

    }

This is the line that direct me correctly

response.sendRedirect("/userList")

but can someone explain why this work and not

.defaultSuccessUrl("/usersList", true);
yongchang
  • 503
  • 6
  • 18