Spring Security
  1. Spring Security
  2. SEC-1276

The login form controller/servlet inside of spring security does not spring-security-redirect on failed login attempt

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Invalid
    • Affects Version/s: 3.0.0 RC1
    • Fix Version/s: 3.0.0.RC2
    • Component/s: Web
    • Labels:
      None

      Description

      I'm having trouble getting spring-security-redirect to work if they fail to login.

      I use a hidden input to pass "spring-security-redirect" post parameter to the /j_spring_security_check action, like this:

      Code:

              <input type="hidden" name="spring-security-redirect"
                     value="${RequestParameters["previousUrl"]!}" />
      

      Now, this works fine if they login correctly the first time. Upon successive attempts, this obviously won't work.

      Where does Spring security expose this value when it bounces back to the form? I've tried "SPRING_SECURITY_REDIRECT" model data... like the same type as the other SPRING_SECURITY_* variables... but it's not there. I've tried a whole bunch of other combinations as well, like "spring_security_redirect", "j_redirect", or "_spring_security_redirect".

      Part of the problem that makes this difficult is that it is:

      1) Poorly documented compared to everything else in the framework - merely relying on a single jsp example (and some people don't even use jsp...)

      2) There is a lack of naming conventions. My login view is cluttered with all sorts of j_ this, SPRING_SECURITY_* that. Some fields start with "_". It's a little mind-boggling and it's hard to intuitively guess what I should do.

      What do I need to do to have my form "remember" the passed in url? I can't find it anywhere in the documentation and I've searched google for examples. What I have already - just knowing about spring-security-redirect - is the best I've been able to do.

      Thanks!

        Activity

        Hide
        Luke Taylor added a comment -

        The redirect parameter was introduced for SEC-213. That is all. The functionality is now part of the class AbstractAuthenticationTargetUrlRequestHandler.

        I don't understand the rest of your post - you seem to be assuming some kind of behaviour which doesn't exist and then attempting to guess the names of attributes which might contain the value of this parameter???

        Show
        Luke Taylor added a comment - The redirect parameter was introduced for SEC-213 . That is all. The functionality is now part of the class AbstractAuthenticationTargetUrlRequestHandler. I don't understand the rest of your post - you seem to be assuming some kind of behaviour which doesn't exist and then attempting to guess the names of attributes which might contain the value of this parameter???
        Hide
        Luke Taylor added a comment -

        Not a bug.

        Show
        Luke Taylor added a comment - Not a bug.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Ken Egervari
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: