HTTP Redirect (302) to login loses Referer
Hi all,
I'm having some trouble getting the target URL resulting from a successful login (using SimpleUrlAuthenticationSuccessHandler) to be the originally requested resource.
So, desired outcome is:
1. User requests "secure" path without authenticating
2. User is redirected to login page
3. User successfully authenticates and is taken to path requested in step 1.
Actual outcome:
1. User requests "secure" path without authenticating
2. User is redirected to login page
3. User successfully authenticates and is taken to defaultTargetUrl
I have tried setting alwaysUseDefaultTargetUrl=false:
Code:
// Snippet
...
<bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/struts/secure.home.action"/>
<property name="alwaysUseDefaultTargetUrl" value="false"/>
</bean>
...
No joy. I also tried manually setting a target location in the login form, using:
Code:
<property name="targetUrlParameter" value="location"/>
Where "location" is a hidden field in login into which I write the "Referer" http header.
Here's where things go pear shaped. The HTTP GET request issued by the browser (Firefox) does NOT contain a Referer header.
So the HTTP sequence seems correct:
1. Client sends GET for secure path
2. Server sends 302 (redirect) to login page
3. Client sends GET for login page <-- Fail here
The GET for the login page does not contain a Referer header.. so obviously setting it in the form is not going to work, and I'm guessing that's why the out-of-the-box config fails too.
I have verified that I don't have any crufty configs in the browser (about:config), and I get the same behavior in Chrome (although I can't see the actual headers, I'm assuming the same problem).
Anyone seen this before? From what I've read the http GET sent after a 302 "should" have the referer (?)
I'm on Windoze 7.. maybe it's a funky "security feature"?
Thanks.
