Spring Security 3.1.0.M2 and SavedRequestAwareAuthenticationSuccessHandler

**ssozonoff** · Jan 26th, 2011, 11:51 AM

Hello Guys,

In the process of setting up to filter chains to handle both form based and API based authentication I have come across an issue related he proper redirecting after successful authentication.

couple of things.

1. When using SavedRequestAwareAuthenticationSuccessHandler it seems to me that the request is actually saved in the ExceptionTranslationFilter however this is called after the my AuthenticationFilter filter which uses a SavedRequestAwareAuthenticationSuccessHandler one successful authenticaion. According to the reading I have done the order I have defined the filters is correct

<sec:filter-chain pattern="/dyn/api/**" filters="securityContextFilterWithASCFalse,
apikeyAuthFilter,
servletApiFilter,
exceptionTranslationFilterForRestServices,
filterSecurityInterceptor"/>

Secondly the redirect URL seems to be incorrect in any case since the FirewalledRequestWrapper is stripping most of the path related information?

I will keep diving deeper but if anyone has any initial thoughts that would be helpful?

Thanks,
Serge

**Luke Taylor** · Jan 26th, 2011, 12:51 PM

That's correct. ExceptionTranslationFilter stores the request, you authenticate and the AuthenticationSuccessHandler retrieves the saved request and redirects to that URL.

The RequestCacheFilter restores the request on the subsequent invocation.

You'll need to expand on what you mean about the path information being stripped? What is the original URL you want to redirect to and what information is being lost? Are you using path parameters in the URL?

**ssozonoff** · Jan 26th, 2011, 03:29 PM

Hello Luck,

Thanks for the quick response.

Originally Posted by Luke Taylor

That's correct. ExceptionTranslationFilter stores the request, you authenticate and the AuthenticationSuccessHandle

Sorry if I am being daft here but if the AuthenticationSuccessHandler is executed before passing through the ExceptionTranslationFilter, how does this work?

Originally Posted by Luke Taylor

You'll need to expand on what you mean about the path information being stripped? What is the original URL you want to redirect to and what information is being lost? Are you using path parameters in the URL?

Never mind, I am being stupid...

Thanks,
Serge

**Luke Taylor** · Jan 27th, 2011, 05:26 AM

Originally Posted by ssozonoff

Sorry if I am being daft here but if the AuthenticationSuccessHandler is executed before passing through the ExceptionTranslationFilter, how does this work?

The AuthenticationSuccessHandler is only invoked after the user is redirected to the login page and submits a (successful) login. So the sequence is

User attempts to access secured resource and an exception is raised
ExceptionTranslationFilter does its stuff (including storing the request)
AuthenticationEntryPoint redirects user to login page
User submits login
UsernamePasswordAuthenticationFilter (UPAF) notes that it is a login request
UPAF authenticates the user via the AuthenticationManager
UPAF invokes the AuthenticationSuccessHandler
The AuthenticationSuccessHandler decides where the user should be redirected to
UPAF returns

Hope that helps.

**ssozonoff** · Jan 27th, 2011, 07:27 AM

Hello Luke,

Originally Posted by Luke Taylor

Hope that helps.

Yes it does and makes sense, my head was in a different mode since I am working on a solution for API calls using a "fail" or "pass-through" approach. There will be no redirects or anything, its simply a 401 error if the APIKEY is wrong.

Hence I was observing a different behavior.

Thanks,
Serge

Thread: Spring Security 3.1.0.M2 and SavedRequestAwareAuthenticationSuccessHandler

Thread Tools

Display

Spring Security 3.1.0.M2 and SavedRequestAwareAuthenticationSuccessHandler

Posting Permissions