We have a stateless app, so that means no sessions. We still want the functionality of redirecting a user to the URL they were trying to access before they were forced to login. Since Spring Security's default mechanism for doing this uses a session, we wrote implemented our own RequestCache. It basically sets a cookie with the URL they were trying to get to and then reads that cookie when they login.
It's all working great except for one thing. Spring Security never calls the removeRequest() method after successful login. As a result, the cookie never gets deleted. So, if they just logout, and then log back in (there wasn't a protected URL they were trying to get to), it sees the cookie and then directs to there.
I was looking through the source code of SavedRequestAwareAuthenticationSuccessHandler and found where we redirects to the SavedRequest retrieved from the getRequest() method on the RequestCache.
It seems like after getting the targetUrl, it should call removeRequest(), since it got what it needed from the SavedRequest. With the default HttpSessionRequestCache, the SavedRequest will go away as soon as the session is invalidated, but there are cases like this when the SavedRequest should be removed as soon as it's able to redirect. I wouldn't think there would be a problem with calling HttpSessionRequestCache removeRequest() at this point. Am I missing something here?
// Use the DefaultSavedRequest URL
String targetUrl = savedRequest.getRedirectUrl();
logger.debug("Redirecting to DefaultSavedRequest Url: " + targetUrl);
getRedirectStrategy().sendRedirect(request, response, targetUrl);
Is there a good workaround for this?