Spring Security
  1. Spring Security
  2. SEC-1517

Proper returnToUrlParameters cannot be set easily for OpenIDAuthenticationFilter

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Won't Fix
    • Affects Version/s: 3.0.3
    • Fix Version/s: 3.1.0.M1
    • Component/s: OpenID
    • Labels:
      None

      Description

      The default implementation of the "returnToUrlParameters" doesn't take into consideration the "targetUrlParameter" property of the AbstractAuthenticationTargetUrlRequestHandler class. This basically breaks the ability to specify a dynamic landing page after a successful login.

      In OpenIDAuthenticationFilter.java the "returnToUrlParameters" should be something like:

      if (returnToUrlParameters.isEmpty() &&
      getRememberMeServices() instanceof AbstractRememberMeServices&&
      getSuccessHandler() instanceof AbstractAuthenticationTargetUrlRequestHandler) {
      returnToUrlParameters = new HashSet<String>();
      returnToUrlParameters.add(((AbstractRememberMeServices) getRememberMeServices()).getParameter());
      returnToUrlParameters.add(((AbstractAuthenticationTargetUrlRequestHandler) getSuccessHandler()).getTargetUrlParameter());
      }

      This way the default "spring-security-redirect" parameter will become available in the authorization request and it will be later available for consumption.

      Additionally it will be great if few more properties are exposed in the Security configuration namespace so that more values can be injected.

        Activity

        Hide
        Luke Taylor added a comment -

        I'd prefer not to do this as it is accounting for a very specific case and the way navigation works with OpenID is always going to be different from a simple login followed by a redirect. You can set the returnToUrlParameters directly on the filter, to include the and you have full control over the URL itself by overriding the buildReturnToUrl() method.

        Show
        Luke Taylor added a comment - I'd prefer not to do this as it is accounting for a very specific case and the way navigation works with OpenID is always going to be different from a simple login followed by a redirect. You can set the returnToUrlParameters directly on the filter, to include the and you have full control over the URL itself by overriding the buildReturnToUrl() method.
        Hide
        Rostislav Hristov added a comment -

        It looks that I can inject the returnToUrlParameters only if I don't use the Security namespace which means that I'll have to replace half of the configuration with plain bean declarations. I will probably end up doing that in order to achieve higher level of customization but overall it will better if this is possible with the simpler namespace config.

        Show
        Rostislav Hristov added a comment - It looks that I can inject the returnToUrlParameters only if I don't use the Security namespace which means that I'll have to replace half of the configuration with plain bean declarations. I will probably end up doing that in order to achieve higher level of customization but overall it will better if this is possible with the simpler namespace config.
        Hide
        Luke Taylor added a comment -

        You should normally only need to add two explicit beans - the filter and the entry point.

        The namespace is only meant to support basic configuration options. There's a balance to be struck between adding too much functionality and obfuscating what in actually going on.

        Show
        Luke Taylor added a comment - You should normally only need to add two explicit beans - the filter and the entry point. The namespace is only meant to support basic configuration options. There's a balance to be struck between adding too much functionality and obfuscating what in actually going on.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Rostislav Hristov
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: