Jan 28, 2012
Dynamic authentication success and failure url using Spring 3 MVC & Security
If you have used spring’s form-login security before then following (part of) configuration will look familiar to you:
<security:form-login login-page="/login"</pre> authentication-failure-url="/login/failure" default-target-url="/"/>
What it says is: where the login page resides (login-page), after logging in redirect user to “/” (default-target-url) given that user wasn’t landed here while trying to access any page that required authentication and what page to serve in case of failed login attept (authentication-failure-url).
OK, it’s pretty straight forward but what if instead of using values specified in config one has to specify these values dynamically – with dynamically I mean on authentication failure instead of redirecting to “/login/failure” (value of authentication-failure-url), redirect to /signup or some other url depending on some checks/conditions?
Luckily for this spring has:
| Interface / Class | Description |
| AuthenticationSuccessHandler | Strategy used to handle a successful user authentication. |
| SimpleUrlAuthenticationSuccessHandler | Simple implementation of AuthenticationSuccessHandler interface which by default uses the default-target-url value to redirect to user on successful authentication |
| AuthenticationFailureHandler | Strategy used to handle a failed user authentication. |
| SimpleUrlAuthenticationFailureHandler | Similarly, this class is simple implementation of AuthenticationFailureHandler interface and it by default redirect the user to value of authentication-failure-url |
| RedirectStrategy | Encapsulate the redirection strategy |
If you haven’t noticed yet RedirectStrategy is the interface we are most interested in, since it’s the one that will be one incorporating the strategy of forward requests. So for this we simply need to write a custom class that implements RedirectStrategy and override sendRedirect(HttpServletRequest request, HttpServletResponse response, String url) method.
Let’s show you what I mean:
//Custom redirection strategy for handling successful handling
public class CustomSuccessRedirection implements RedirectStrategy {
@Override
public void sendRedirect(HttpServletRequest request, HttpServletResponse response,
String url) throws IOException {
//redirect based on some condition
if(someCondition) {
response.sendRedirect("/home/a");
} else {
response.sendRedirect("/home/b");
}
}
}
Similarly a strategy for failed authentication can also be written in the same way.
Now to override the default url redirection strategy we need to add following to config:
<!-- Custom Redirection Strategy bean --> <bean id="customSuccessRedirStrategy" class="net.waqassiddiqi.spring.CustomSuccessRedirection" /> <bean id="customFailedRedirStrategy" class="net.waqassiddiqi.spring.CustomFailedRedirection" /> <bean id="customRedirSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"> <property name="redirectStrategy" ref="customSuccessRedirStrategy" /> </bean> <bean id="customRedirFailedHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"> <property name="defaultFailureUrl" value="/login/failure" /> <property name="redirectStrategy" ref="customFailedRedirStrategy" /> </bean>
A better magazine theme would make the blog nicer.:)