16

I'm using version 1.2 of the Spring Security plugin in a Grails application. I want login attempts to be handled in the following way:

Success

  • if the login was triggered by an attempt to access a protected page, send them to that page
  • if the user logged in "directly" redirect them back to the home page

Failure

  • Send them to a "try again" login page and populate the form thereon with the invalid login details they entered (except for the password fields). This "try again" login page is not the same page that they use to login the first time

I've had a look at the Events section of the plugin's manual, which seems to cover this ground. However there doesn't seem to be any way to redirect a user within these event handlers.

Dónal
  • 185,044
  • 174
  • 569
  • 824

2 Answers2

21

You're basically describing how it currently works except for re-displaying login details, which is straightforward.

When you click a secured link and aren't logged in, a SavedRequest is stored in the session to keep track of where you were trying to go. After a successful login, this object is inspected and the redirect is built from it. If you go directly to the login page there's no saved info, so it redirects to a default location. By default it's the root of the app ('/') but it's configurable, e.g.

grails.plugins.springsecurity.successHandler.defaultTargetUrl = '/home'

To get the previously entered login name to re-display, use the SPRING_SECURITY_LAST_USERNAME session key in auth.gsp:

<input type='text' class='text_' name='j_username' id='username'
       value="${session['SPRING_SECURITY_LAST_USERNAME']}" />
Dónal
  • 185,044
  • 174
  • 569
  • 824
Burt Beckwith
  • 75,342
  • 5
  • 143
  • 156
  • Should I use `grails.plugins.springsecurity.failureHandler.defaultFailureUrl = '/loginAgain'` to send them to my "try again" page when login fails? – Dónal Aug 08 '11 at 13:25
  • No, if auth fails they'll be redirected to /login/auth and your updated auth.gsp will display the username – Burt Beckwith Aug 08 '11 at 13:41
  • Are you saying that it's not possible to override the url that they are redirected to after a login failure? – Dónal Aug 08 '11 at 16:37
  • No, I'm saying if you don't do anything at all, it'll work the way you want. The user will be presented with the login screen again and can retry, and with the GSP tweak I showed it'll show the username. The `SavedRequest` will stay the same the whole time, so after multiple failed login attempts a successful login will redirect to the originally requested url. – Burt Beckwith Aug 08 '11 at 17:04
  • Got it, thanks again. BTW, are the list of session attributes that spring security uses documented anywhere? I'm referring to `session['SPRING_SECURITY_LAST_USERNAME']` and company. – Dónal Aug 08 '11 at 20:52
  • I'm not sure, but if they are it'd be in the Spring Security docs: http://static.springsource.org/spring-security/site/docs/3.0.x/reference/springsecurity.html – Burt Beckwith Aug 08 '11 at 20:59
  • Thanks, I don't even know that SpringSecurity support retrieving username in session – Hoàng Long Jun 06 '12 at 09:18
  • And how can I do if the target depends on the role of the user? – mpccolorado Oct 01 '12 at 13:38
  • I think I'm going to treat that kind of logic in the response of the default target url. – mpccolorado Oct 01 '12 at 13:46
  • 1
    FYI to anyone using this with 3.1. `session['SPRING_SECURITY_LAST_USERNAME']` has been deprecated. – Omnipresent Nov 26 '14 at 01:22
4

What worked for me is putting the following line in Config.groovy

grails.plugin.springsecurity.successHandler.defaultTargetUrl = 'controllerName/actionName'

The thing that is changed is grails.plugin not grails.plugins (notice no 's' after 'plugin')

biniam
  • 8,099
  • 9
  • 49
  • 58