I'm not all that familiar with the Spring Security Grails plugin, but I have outlined a few options available in Spring Security:
1) Use the targetUrlParameter defined on SavedRequestAwareAuthenticationSuccessHandler. You should be careful with this approach since it can lead to redirecting to other websites. See the OWASP Open redirect page for details on this.
2) Save the request using the RequestCache interface (HttpSessionRequestCache is the default implementation).
3) This option is only available in Spring Security 3.1. Create a custom RequestMatcher and a separate http block that matches if the user is not authenticated and a specific http parameter is present. The configuration in standard Spring would look something like:
Code:
<http request-matcher-ref="customMatcher"
use-expressions="true">
<intercept-url pattern="/**"
access="authenticated"/>
.. use same form-login configuration in here ..
</http>
<http auto-config="true"
use-expressions="true">
.. standard configuration ...
</http>
<b:bean id="customMatcher" class="UnauthenticatedAndForceLoginParamRequestMatcher"/>
UnauthenticatedAndForceLoginParamRequestMatcher would look something like:
Code:
public class UnauthenticatedAndForceLoginParamRequestMatcher implements RequestMatcher {
private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
@Override
public boolean matches(HttpServletRequest request) {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
return trustResolver.isAnonymous(authentication) && request.getParameter("forceLogin") != null;
}
}
Then the login link could just be a link to the current page and contain the query param named forceLogin (or whatever your RequestMatcher is matching on). This would allow Spring Security to handle all the saved request for you and avoid open redirect problems.
HTH,
Junior Member
Manually Create SavedRequest
Reply With Quote
