Different target urls for different user roles

[daoway]

Hi !

I have two types of roles, ROLE_USER and ROLE_ADMIN. I want user to be redirected after sign in to appropriate urls, something like

ROLE_USER => /profile/privateProfile
ROLE_ADMIN => /admin/ControlPanel

Any suggestions how to implement it ? I cant figure out from where I should start digging. I'm using namespace-based security configuration file. Thanks !

[Luke Taylor]

You'll need to use a customized AuthenticationProcessingFilter. You can control the target URL either by overriding methods or using a custom TargetUrlResolver.

[TomAng]

Hi Luke,

Any sample code for that ?

Thanks.

[daoway]

Hi !

Luke, thanks a lot for answer.

@TomAng

Here is my code + config

Code:

package com.mycoolcompany.App.CustomSecurity;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;

import org.springframework.security.Authentication;
import org.springframework.security.AuthenticationException;
import org.springframework.security.GrantedAuthority;
import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
import org.springframework.security.ui.webapp.AuthenticationProcessingFilter;

public class CustomAuthenticationProcessingFilter extends AuthenticationProcessingFilter
{
	@Override
    public Authentication attemptAuthentication(HttpServletRequest request) throws AuthenticationException {
        String username = obtainUsername(request);
        String password = obtainPassword(request);

        if (username == null) {
            username = "";
        }

        if (password == null) {
            password = "";
        }

        username = username.trim();

        UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);

        // Place the last username attempted into HttpSession for views
        HttpSession session = request.getSession(false);

        if (session != null || getAllowSessionCreation()) {
            request.getSession().setAttribute(SPRING_SECURITY_LAST_USERNAME_KEY, escapeEntities(username));
        }

        // Allow subclasses to set the "details" property
        setDetails(request, authRequest);

        //role&URLs stuff
        final Authentication auth = this.getAuthenticationManager().authenticate(authRequest);
        final GrantedAuthority[] grantedAuthorities = auth.getAuthorities();
        boolean isAdmin = false;
        for(GrantedAuthority grantedAuthority : grantedAuthorities)
        {
            if("ROLE_SUPERVISOR".equals(grantedAuthority.toString()))
            {
           	 isAdmin = true;
           	 break;
            }
        }

        String outcome = null;
        if(isAdmin)
        {
       	 outcome = "/adminArea";
        }
        else
        {
       	 outcome = "/someOtherUserArea";
        }
        //actual change of default url for user
        this.setDefaultTargetUrl(outcome);
        	
        return auth;
    }
    public static String escapeEntities(String s) {
        StringBuffer sb = new StringBuffer();
        
        for (int i=0; i < s.length(); i++) {
            char c = s.charAt(i);
            
            if(c == '<') {
                sb.append("&lt;");
            } else if (c == '>') {
                sb.append("&gt;");
            } else if (c == '"') {
                sb.append(""");
            } else if (c == '\'') {
                sb.append("'");
            } else {
                sb.append(c);
            }
        }
        
        return sb.toString();
    }
}

config:

Code:

<?xml version="1.0" encoding="UTF-8"?>
    <http auto-config="false" entry-point-ref="authenticationProcessingFilterEntryPoint">
        <intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/>
        <intercept-url pattern="/someDefaultUrl/**" access="ROLE_SUPERVISOR"/>
        <intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_REMEMBERED" />
        <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <anonymous  />
    </http>

    <!--
    Usernames/Passwords are
        rod/koala
        dianne/emu
        scott/wombat
        peter/opal
    -->
    <authentication-provider>
        <password-encoder hash="md5"/>
        <user-service>
            <user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
	        <user name="dianne" password="65d15fe9156f9c4bbffd98085992a44e" authorities="ROLE_USER,ROLE_TELLER" />
            <user name="scott" password="2b58af6dddbd072ed27ffc86725d7d3a" authorities="ROLE_USER" />
            <user name="peter" password="22b5c9accc6e1ba628cedc63a72d57f8" authorities="ROLE_USER" />
	    </user-service>
	</authentication-provider>

	<authentication-manager alias='authenticationManagerAlias'/>
	<beans:bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
	    <beans:property name="loginFormUrl" value="/login.jsp"/>
	    <beans:property name="forceHttps" value="false" />
	</beans:bean>
  	<beans:bean id="myAuthenticationProcessingFilter" class="com.mycoolcompany.App.CustomSecurity.CustomAuthenticationProcessingFilter">
		 <beans:property name="filterProcessesUrl" value="/j_spring_security_check" />
	     <beans:property name="defaultTargetUrl" value="/someDefaultUrl/index.jsp"/>
	     <beans:property name="authenticationManager" ref="authenticationManagerAlias"/>
	     <custom-filter position="AUTHENTICATION_PROCESSING_FILTER"/>
	</beans:bean>
</beans:beans>

P.S. Since forum limitation for posting urls I cant post schema definition here But you can grab it at SVN source code repository at
\trunk\samples\tutorial\src\main\webapp\WEB-INF\applicationContext-security.xml

[TomAng]

Thanks daoway, that will gives us a valuable info.