Previous page not remembered

[lilolme]

I am using spring security for a project (spring+hibernate) with database authentication.

If the user attempts to go to a secured page, he is redirected to the login form but he does not go to the earlier requested page even though this is the documented default behavior.

I have provided relevant sections of web.xml, root-context.xml and spring-security.xml

I am using spring 3.0.5.RELEASE

web.xml

Code:

 ....
	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>
			/WEB-INF/spring/root-context.xml
			/WEB-INF/spring/security/spring-security.xml
		</param-value>
	</context-param>

	<!-- Create the Spring security filter -->
	<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>

	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
...

root-context.xml

Code:

	<security:global-method-security secured-annotations="enabled"></security:global-method-security>

spring-security.xml

Code:

	<security:http auto-config="true" use-expressions="true" access-denied-page="/auth/denied" >
	
	
		<security:form-login
				login-page="/auth/login" 
				authentication-failure-url="/auth/login" 
				default-target-url="/mydefaultpage"
				always-use-default-target="false"/>
			
		<security:logout 
				invalidate-session="true" 
				logout-success-url="/auth/login" 
				logout-url="/auth/logout"/>
		<security:session-management invalid-session-url="/auth/login"/>
	</security:http>

I have tried with and without the always-use-default-target. I can only guess that I am overriding something so this property is not taking effect.

Thanks in advance.

[lilolme]

Is this a known issue? It should work according to the documentation.

A little more information. We have class that performs the db authentication .. perhaps we are missing something here.

Code:

public class LoginServiceProvider extends DaoAuthenticationProvider {

    ....

	@Override
	protected void additionalAuthenticationChecks(UserDetails userDetails,
			UsernamePasswordAuthenticationToken authentication)
			throws AuthenticationException {
		super.additionalAuthenticationChecks(userDetails, authentication);

		if (userDetails instanceof UserAuthorization) {
                                      //perform db authentication

		}
	}

}

[Rob Winch]

Is it safe to assume that the login form is submitting to /j_spring_security_check? Can you capture your http request/responses from the browser using something like Firebug?

[lilolme]

Thanks for the reply..

When I login after attempting to go to a url. The attempted url is passed in the referer but is not returned in the response. Would it normally use the Location to redirect to the previous page?


Request Headers
-----------------------
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding gzip, deflate
Accept-Language en-gb,en;q=0.5
Connection keep-alive
Cookie JSESSIONID=12B55779DD5540DF5B44A28D2B6BD7E7
Host localhost:8080
Referer http://localhost:8080/attemptedURL
User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1



Response Headers
-----------------------
Content-Length 0
Date Fri, 13 Jan 2012 00:50:17 GMT
Location http://localhost:8080/defaultPage
Server Apache-Coyote/1.1
Set-Cookie JSESSIONID=6AB83648EDA82A8340E2B21C838E0A55; Path=/bailment/; HttpOnly

[lilolme]

and it is submitting to /j_spring_security_check

Any ideas?

[Rob Winch]

Can you include the request to the secured page, the response of the request to the secured page, the submission of the login page, and the response?

You might also enable the debug logs from Spring Security. If that doesn't help you please post them using the code tags.

Also please ensure your configuration matches the request response. For example, the configuration posted states that /mydefaultpage is the default-target-url, but this seems to imply that defaultPage is configured. These inconsistencies make it difficult to troubleshoot.

Cheers,