I am implementing change-password functionality for my app including forced pass changes on expiration. While catering for users who have a protected (behind login) page bookmarked (or type them in free-hand) I have implemented an AuthenticationSuccessHandler (ASH).

My ASH works fine and I can take any request for a secured resource and force it to the Change Password page post-login, if the password has expired. The problem exists when I test a user who's password has Not expired. I would like to be able to query the <form-login>'s default-target-url and send the user to whatever that is. There is even a method:
Code:
AbstractAuthenticationTargetUrlRequestHandler.determineTargetUrl(req, res)
Which would appear to return the URL I want but instead only returns "/" for me no matter what I try.

I have even gone through the source looking for where the default-target-url is parsed from the security.xml file and can't find it. As a work-around I have added a property to my ASH which I then hard-code with the default-target-url instead of putting it into the <form-login>. This works for me but does not seem to be the right way to do things.

Should the presence of an ASH over-ride the attributes of a <form-login> completely? Or am I missing something?

Any help gratefully received.