I have no special talent. I'm only passionately curious - Albert Einstein
October 14, 2010 Redirecting on Login with Spring Security Comment on Redirecting on Login with Spring Security 5 Posted by Dave Malone in Grails, Spring, Configuration, Java

Well, here I am rewriting my blog software (again), this time in Grails.  In the four years since I began writing my blog software, I've gone through three different versions of the Acegi Security Framework, which is now the Spring Security Framework.  I'm now using the Spring Security Framework plugin for Grails, and I wanted to redirect users back to the page they were currently viewing after they successfully authenticate.  A little searching on the web, and I found my solution.

The implementation is fairly simple.  Spring Security looks for a parameter called spring-security-redirect to use to redirect users upon successful authentication.  The parameter will need to be used in two places (my implementation is a simple form-based login).  You'll want to build your url using the <g:link /> grails tag, using the params attribute to set the spring-security-redirect.  The interesting part comes into play when we want to use the current page as the one to redirect to after authentication.  After perusing the Grails documentation, I discovered that Grails wraps the HttpServletRequest, and extends it to allow you to get the current url, and the property Grails provides is calld forwardURI.  Here's what the link tag ends up looking like:

 

<g:link controller="login" action="auth" params="['spring-security-redirect':request.forwardURI]">

 

The next step is to update the login form.  All you need to do is add a hidden input to the login form to capture the param sent to the login page:

 

<input type='hidden' name='spring-security-redirect' value='${params['spring-security-redirect']}'/>

 

One important thing to note is that you need to use the specific call into the params map, not using the dot notation (params.spring-security-redirect).  If you use the dot notation and that param is missing, you'll get a nasty exception from Grails.

 

And that's it.  The Spring Security framework continues to impress me by providing everything I'd want out of an authentication and authorization framework.

5 comments

Dave - March 30, 2011

@Some Guy - yea I know.  That's the problem with building your own software... you have to implement everythign yourself.  I'm working on a spam filter for comments, just don't have the time right now.

Some guy - March 25, 2011

Yo Dave! You have to filter out comments on this blog of your. Pre-approving posts leads to what you see here; four comments pharmacy spam.


Crewman - April 18, 2011

A word of caution.  Using params like this leaves you open for a potential cross-site-scripting attack.  An attacker can look at the source code to see your URL that sends the user to the auth page.  They can take that URL, change the spring-security-redirect param to some destination they want, and now the user will go through the login normally, but end up on a bogus page.  A hacker can send the constructed link in an email so that they immediately go to the legitimate login page on your site and then to the hacked dest page, or they can create another page that looks like your site, uses your auth, then sends the user to a bogus destination.

Dave - April 27, 2011

@JusJammin - thanks for mentioning that.  I actually use the same method in my own apps.  @Crewman you're right, but anyone using Spring Security could experience this issue since I don't even need to use a form to make this happen, unless you configure Spring Security to use a more pessimistic approach when redirecting.  To learn more about what's actually going on under the covers, I suggest reading the javadoc and looking at the source code for org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler

and org.springframework.security.web.DefaultRedirectStrategy

JusJammin - April 09, 2011

Great post. Just want to add that for this to work in both development and production you should have to remove the context path from the request uri, like so:

 

<g:link controller="login" action="auth" params="['spring-security-redirect': request.forwardURI - request.contextPath]">

 

Comments are currently disabled

RSS rss Login Lock Icon

About

David Malone is a Java developer residing in the Twin Cities area.  He has been developing enterprise applications since 2004.  This is his personal blog, as well as his design and development workspace.

Categories

Android Best Practices Bug Configuration Daily Life Grails Hibernate Java Javascript Jokes Spring Technology

Recent Posts

Grails SpringBeanListingController Grails Logging Gotchas Redirecting on Login with Spring Security My take on running Java apps in the Cloud Grails Integration Testing with the new Spring Security Core Plugin