how to redirect user to the page before login screen

[vikas_chess]

I am using Spring Security 3.2 to implement login screen.

When user clicks on login link, he is redirected to login page url. Now, after successful login, I want him redirect back to the page before login screen.

Is there any simple way to do that using Spring Security?

security-config.xml

Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">

	<http pattern="/resources" security="none" />

	<!-- HTTP security configurations -->
	<http auto-config="true" use-expressions="true">

		<!-- Configure these elements to secure URIs in your application -->
		<intercept-url pattern="/admin.htm" access="hasRole('ROLE_ADMIN')" />

		<form-login login-processing-url="/j_spring_security_check"
			login-page="/login.htm" authentication-failure-url="/login.htm?login_error=t" />

		<remember-me key="myAppKey" token-validity-seconds="864000" />

		<access-denied-handler error-page="/denied" />

	</http>

	<authentication-manager>
		<authentication-provider user-service-ref="customUserDetailsService">
			<password-encoder hash="sha" />
		</authentication-provider>
	</authentication-manager>

</beans:beans>

[OhadR]

Actually, Spring does so by default. Have a look at SavedRequestAwareAuthenticationSuccessHandler (which is used by Spring as a default handler).

What I suggest is: do not try to access directly the login page. Instead, try to get to a 'protected resource' which is protected by Spring. Then, Spring will redirect you to the login page, and after successful login it will redirect you back to the resource.

[vikas_chess]

Instead, try to get to a 'protected resource' which is protected by Spring.

Sorry, I did not get you. What do you mean by 'protected resource'? Kindly elaborate. Or, could you please show me some example or modifying the code I have added in my first post. Thanks.

Also, please find below web.xml, in case, if it is related to this:

Code:

  <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
  <servlet>
    <servlet-name>demo</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
      <param-name>contextConfigLocation</param-name>
      <param-value>WEB-INF/spring/applicationContext.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet-mapping>
    <servlet-name>demo</servlet-name>
    <url-pattern>/</url-pattern>
  </servlet-mapping>

and, in application-context.xml

Code:

	<!-- Handles HTTP GET requests for /resources/** by efficiently serving 
		up static resources -->
	<mvc:resources location="/" mapping="/**" />

[OhadR]

'Protected resource' is something you protect, using Spring Security. In your case, you have a web app that you protect, meaning only logged-in users can see.
Let's say you have a page in your app, 'accounts.html'. since it is in your protected app, a user that tries to reach this page will be redirected to the login page, and after successful login he will be redirected back to 'accounts.html'.

HTH.

[vikas_chess]

To make all the resources protected, I have used <intercept-url pattern="/**" /> as shown below:

Code:

	<http auto-config="true" use-expressions="true">

		<!-- Configure these elements to secure URIs in your application -->
		<intercept-url pattern="/**" access="hasAnyRole('ROLE_ANONYMOUS', 'ROLE_USER', 'ROLE_ADMIN')" />

		<form-login login-processing-url="/j_spring_security_check"
			login-page="/login.htm" authentication-failure-url="/login.htm?login_error=t" />


		<logout logout-success-url="/" />

		<remember-me key="myAppKey" token-validity-seconds="864000" />

		<access-denied-handler error-page="/denied" />

	</http>

But, still it's not redirecting to previous page.

I have also tried intercept-url pattern="/*" and pattern="/" .. but, none works.

Kindly help me, where am going wrong.

[OhadR]

what is your flow? do you try to directly get to the login page? if so, Spring does not know what is your "previous" page.
do you try to get to another page, and then you get to the login screen?

[vikas_chess]

I go to another page and then go to login page. After login successful, I want to return back to previous page.

[OhadR]

what do u mean by

and then go to login page.

do you get redirected?

[vikas_chess]

Let's say, I am on page http://localhost:8080/vikas/personal.htm . After click on login hyper-link on the page, I am on http://localhost:8080/vikas/login.htm . On submit in the login screen, I am returning to http://localhost:8080/vikas/ page instead of http://localhost:8080/vikas/personal.htm .

[OhadR]

My suggestion is to make personal.htm 'prtected', meaning defining it in your security.xml so only ROLE_USER can access it. This way, when a non-registered user will try to get to this page, he will be redirected to the login page, and after successful login he will redirect you back to 'personal.htm'.

Code:

	<http auto-config="true" use-expressions="true">

		<!-- Configure these elements to secure URIs in your application -->
		<intercept-url pattern="/admin.htm" access="hasRole('ROLE_ADMIN')" />
		<intercept-url pattern="/personal.htm" access="ROLE_USER" />

...
	</http>