Spring login without being redirected?

[prigole]

We have the classical setup of spring security with a redirect to a login.jsp page. Unfortunately this setup doesn't work well in our application and we would like to handle Spring login ourselves without being redirected.

Our client-side code consists of a JavaScript viewport (using ExtJs) and everything (forms, maps, etc.) is enclosed by that viewport. Communication is done through Ajax calls. That all works nice, except when our session expires and the user is redirected to the login screen. As a consequence of this redirection, all unsubmitted data that resided in javascript gets lost. Even when we create a login form in JavaScript and perform an Ajax POST to j_spring_security_check, the header of the response contains the redirect location, and the browser automatically redirects the whole window to a GET on whatever (Ajax) request was going on before the login page came up.

We basically want to perform a Post operation on j_spring_security_check with the username and password as parameters and obtain as a result a simple 'true' or 'false' that indicates whether the authentication succeeded. When a client tries to access a protected resource without being authenticated/authorized, we would like to get a simple HTML error code rather than being redirected without warning.

Can this be easily done?

Best regards,
Peter Rigole

[Luke Taylor]

You can use an Http403ForbiddenEntryPoint to prevent the redirection. Injecting an AuthenticationSuccessHandler and an AuthenticationFailureHandler should allow you to control exactly what happens after authentication.

[prigole]

Thanks! I finally got it working the way I want it to work. Although the solution looks incredibly simple, I copied it below for anyone hitting this thread looking for a similar solution.

Best regards,
Peter Rigole - www.qmino.com

Spring security configuration:

HTML Code:

    <security:http entry-point-ref="authenticationEntryPoint">
        <security:custom-filter position="BASIC_AUTH_FILTER" ref="loginFilter"/>
        <security:intercept-url pattern="/success.html" access="ROLE_USER"/>
        <security:intercept-url pattern="/login.jsp" filters="none"/>
    </security:http>

    <bean id="authenticationEntryPoint"
          class="MyAuthenticationEntryPoint">
    </bean>

    <bean id="loginFilter"
          class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="filterProcessesUrl" value="/j_spring_security_check"/>
        <property name="authenticationSuccessHandler">
            <bean class="MyAuthenticationSuccessHandler"/>
        </property>
        <property name="authenticationFailureHandler">
            <bean class="bMyAuthenticationFailureHandler"/>
        </property>
    </bean>

   <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider>
            <security:user-service>
                <security:user name="test" password="test" authorities="ROLE_USER, ROLE_ADMIN"/>
            </security:user-service>
        </security:authentication-provider>
    </security:authentication-manager>

My authentication entry point:

Code:

public class MyAuthenticationEntryPoint implements AuthenticationEntryPoint {

    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
        response.sendError(HttpServletResponse.SC_FORBIDDEN);
    }
}

The success handler:

Code:

public class MyAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
            Authentication authentication) throws IOException, ServletException {
        // This is actually not an error, but an OK message. It is sent to avoid redirects.
        response.sendError(HttpServletResponse.SC_OK);
    }
}

And the failure handler:

Code:

public class MyAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {

    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
                                        AuthenticationException exception) throws IOException, ServletException {
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authentication Failed: " + exception.getMessage());
    }
}

And the login.jsp page I used for testing purposes. It uses Ext JS, but this is, obviously, independent from the server-side code above.

HTML Code:

<html>
<head>
    <title>Test Page</title>

    <!-- Input EXT -->
    <link rel="stylesheet" type="text/css" href="js/ext/resources/css/ext-all.css"/>
    <link rel="stylesheet" type="text/css" href="js/ext/resources/css/xtheme-blue.css"/>
    <script type="text/javascript" src="js/ext/adapter/ext/ext-base.js"></script>
    <script type="text/javascript" src="js/ext/ext-all-debug.js"></script>
    <script type="text/javascript">
        <!--
        Ext.onReady(function() {
            Ext.get('loginButton').on('click', function() {
                Ext.Ajax.request({
                    url: "j_spring_security_check",
                    params: {
                        j_username: "test",
                        j_password: "test"
                    },
                    method: "POST",
                    success: function(result, options) {
                        // We get a success from the server
                    },
                    failure: function(result, options) {
                        // We get a failure from the server...
                    }
                });
            });

        });
        // -->
    </script>

</head>
<body>

<div>
    <input type="button" id="loginButton" value="Log in"/>
</div>

</body>
</html>

[Turiddu]

Thank you for sharing, Peter! Now this thread is under my bookmarks.

[vw729]

Thanks! I finally got it working the way I want it to work. Although the solution looks incredibly simple, I copied it below for anyone hitting this thread looking for a similar solution.

Best regards,
Peter Rigole - www.qmino.com
...

Hi Peter,

Where did you learn how the SimpleUrlAuthenticationSuccessHandler shall be extended? I want to prompt back to the page where a user actively click the login. I haven't found what I shall put inside of the onAuthenticationSuccess method.