Login success URL for each browser tab

**amitkhanna** · Mar 21st, 2011, 03:22 AM

Hi

I am using Spring Security for access control and I have two pages in my application page1.html and page2.html. All the html pages are accessible to the users with role ROLE_USER.

<http auto-config="false" use-expressions="true" disable-url-rewriting="true">
<intercept-url pattern="/**/*.html" access="hasRole('ROLE_USER')"/>
<form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?authfailed=true"/>
<logout invalidate-session="true" logout-url="/j_spring_security_logout"/>
</http>

I'm facing problems when I try following steps:
1. Open two tabs in firefox.
2. Open page1.html in tab1-> redirected to login.jsp
3. Open page2.html in tab2-> redirected to login.jsp
4. Goto tab 1 and enter username and password -> redirected to page2.html [it should be page1.html]
5. Goto tab 2 and enter username and password -> redirected to / [it should be page2.html]

I think this is because only one request is cached per session. Is there some way to maintain login success url for each browser tab/window, i.e. step 4 redirects to page1.html and step 5 redirects to page2.html?

Also I do not want POST requests to be resubmitted because that can lead to inconsistency, is there some way to configure this?

Thanks
Amit Khanna

**Luke Taylor** · Mar 21st, 2011, 06:17 AM

Spring Security has no knowledge of browser tabs and so on - all it sees are the requests from the client.

If you really want to do this, then you'll probably need to render the destination in the login form as an additional login parameter, and customize the server-side logic to make use of it (by writing a custom AuthenticationSuccessHandler).

**amitkhanna** · Mar 21st, 2011, 08:09 AM

Hi

On debugging the code I found that the success handler which is used by spring security is "SavedRequestAwareAuthenticationSuccessHandler " and if request has parameter that matches the value returned from getTargetUrlParameter() [defailt value= "spring-security-redirect"] it redirects the request to the URL that is mentioned in the value of this parameter.

I think if I can add this parameter to the request that is redirected to the login page like /login.jsp?spring-security-redirect="urlOfTheCurrentRequest", then this redirect url can be added to the submit button's action on login page /j_spring_security_check?spring-security-redirect="urlOfTheCurrentRequest" using javascript. This will serve the purpose as each tab will have a separate login success URL.

I also found that ExceptionTranslationFilter passes the request to AuthenticationEntryPoint.commence method on AuthenticationException. The default entry point used is LoginUrlAuthenticationEntryPoint which builds a URL for login page and sends it to DefaultRedirectStrategy which in turn redirects the request to the login page.

How can I use custom AuthenticationEntryPoint or RedirectStrategy using the namespace tags? Is there any AuthenticationEntryPoint or RedirectStrategy provided with Spring Security that can add this parameter (i.e. "spring-security-redirect") to redirect URL?

Thanks
Amit Khanna

**Luke Taylor** · Mar 21st, 2011, 08:17 AM

You need to be very careful when using parameters to determine a redirect location.

If you add it to the URL, you add the possibility that a malicious attacker can get someone to click on a link such as:

Code:

/login.jsp?spring-security-redirect=http://hackmyapp.com/

Just render it as an additional field in the form.

**amitkhanna** · Mar 21st, 2011, 08:50 AM

Hi Luke

In that case I can add check that only redirect to the value of 'spring-security-redirect' only if it is a relative URL?

But I don't know how to configure these things in spring config file. Can you suggest a tutorial for this?

I'm not sure about this, but is it really a security issue if user asks my server to redirect the request to http://hackmyapp.com/ on authentication success. I mean, this redirect will be using HTTP Status Code 302, in which browser sends another request for http://hackmyapp.com/ and nothing in this request is related to session the user has created with my server or the login request that is sent to my server?

If this is a major security issue, then, when we use the default success handler "SavedRequestAwareAuthenticationSuccessHandler " and a malicious user edits the login page using firebug and changes the action of submit button on login form to /j_spring_security_check?spring-security-redirect=http://hackmyapp.com/ the "SavedRequestAwareAuthenticationSuccessHandler " anyway is going to redirect the request to http://hackmyapp.com/. So isn't it a major concern for all applications using Spring Security?

I do not have much experience in Security related sutff, and whatever i've written above are the random questions that came to my mind on first thought. I may be wrong at many things that i mentioned, please correct me.

Thanks
Amit Khanna

**fertroya** · Dec 6th, 2012, 11:35 AM

Hi Amit, did you get around this problem?
I'm in the exact same scenario.

We have multiple portlets pointing to the same application (different paths) and savedRequests are being overriden upon user authentication.

Thanks!

Thread: Login success URL for each browser tab

Thread Tools

Display

Login success URL for each browser tab

Tags for this Thread

Posting Permissions