Feb 2nd, 2011, 04:03 AM
dynamic default Target Url in Acegi
I have two requirements in my project as immediate requirement.
1.) I m using the Acegi for my web app as well as from a mobile application. So whenever i log in from a mobile app using the same login page of acegi, I wish to fetch a parameter from the url as app="mobile" or if it is from other app i need to fetch the appname from the which application i am sending the login credentials. along with the j_username , j_password. I wish to know to how to access the app parameter that im sending in the url and wish to save the app parameter in the session of spring application and based on that attribute i wish to achieve below requirement.
2. Based on the parameter in the app ="", that comes along with the login url j_security_check , username and password, i wish to change the defaultUrl in the Acegi dynamically to where it has be redirected.
So i wish some one would help me immediately regarding this requirement as it is very urgent for me to deliver the output.
Guys this is my first post so please dont disappoint me, and help me timely.
Feb 3rd, 2011, 08:59 AM
Is there a reason you are using Acegi? Since it is no longer supported it will be difficult to get answers to questions. Not to mention the fact that it has security vulnerabilities in it that will not be addressed. I would recommend upgrading to Spring Security 3.x if possible, but at minimum I would use Spring Security 2.x.
Originally Posted by ashil
Spring Security 3 has a parameter (i.e. spring-security-redirect) that can be specified on the login form that tells what page the user should go to. You would need to ensure you validate that the url is acceptable value (i.e. it is not http://evil.example.com) and if so have your AuthenticationEntryPoint include it in the URL to the login page. The login page would then need to render it so it is submitted to the url that processes authentication. The AbstractAuthenticationTargetUrlRequestHandler then uses that parameter to determine where to redirect you to. It may be better to place the validation of spring-security-redirect here since it is where the redirect is actually being done).
I don't recall the exact flow for using Acegi as I haven't really used it in a while. If you are struggling and must use Acegi and I will dig through the code to give you a suggestion. I highly recommend you upgrade to Spring Security though.
Feb 3rd, 2011, 02:58 PM
Best option would be to have your own version of SavedRequestAwareAuthenticationSuccessHandler filter.
Pass whatever request parameters from login form and make decision to where to redirect in the above filter.
In my use case this is what id.
for secured pages redirects are automatically handled by ExceptionTranslationFilter (i think it stores the original url in DefaultSavedRequest) and SavedRequestAwareAuthenticationSuccessHandler.
For pages that are public (where access is Anonymous), i append the current page url to Login link as return_to_url="/whatever_public_page", which i then pass it as hidden field "spring-security-redirect" in my login form post.
The SavedRequestAwareAuthenticationSuccessHandler will then redirect appropriately.
All my current usecases are implementable with namespace declarations without any custom filters.