Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: 3.1.0.M2
    • Component/s: Web
    • Labels:
      None

      Description

      In some cases it would be useful to be able to post to a non-relative URL. Specifically if you want your login-processing-url to be https. (coming from an http login form)

      Currently, you use the form-login tag something like this:

      <form-login login-processing-url="/login" />

      I would like to be able to use either 1)

      <form-login login-processing-url="https://mydomain.com/login" />

      or 2)

      <form-login login-processing-url="/login" login-processing-channel="https" />

      Currently, urls are restricted to being relative and/or don't allow you to specify the channel which makes this not possible.

      To make 1) possible, all that is required is an update to the org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter

      ~ Line 128

      if (formLoginEnabled) {
      sb.append("<h3>Login with Username and Password</h3>");
      sb.append("<form name='f' action='").append(request.getContextPath()).append(authenticationUrl).append("' method='POST'>\n");
      sb.append(" <table>\n");
      sb.append(" <tr><td>User:</td><td><input type='text' name='");
      sb.append(usernameParameter).append("' value='").append(lastUser).append("'></td></tr>\n");
      sb.append(" <tr><td>Password:</td><td><input type='password' name='").append(passwordParameter).append("'/></td></tr>\n");
      ...

      Change:

      sb.append("<form name='f' action='").append(request.getContextPath()).append(authenticationUrl).append("' method='POST'>\n");

      to check to see if the url contains the channel, and if it does, request.getContextPath() is not appended.

      To do 2)

      org.springframework.security.config.http.FormLoginBeanDefinitionParser would need to be updated to take the new parameter as well as updating DefaultLoginPageGeneratingFilter and the schema for the form-login tag.

      I understand that this is not ideally secure and would require the following tag in the security config:
      <session-management session-fixation-protection="none" />

      However, it does provide the security for passwords by not sending them as plain text over http.

      http -> https -> http
      Is also common practice by most popular consumer sites that don't need to secure confidential material other than the initial login.

      e.g:

      Facebook,
      Login Form: http://www.facebook.com/
      Login Processing URL: https://login.facebook.com/login.php?login_attempt=1

      Twitter,
      Login Form: http://twitter.com/
      Login Processing URL: https://twitter.com/sessions

      Using https for everything is just not realistic when you have a lot of media content you want to deliver over http as well as ad content.
      Delivering mixed https/http content results in a browser warning that negatively impacts the user's experience.

        Activity

        Hide
        Luke Taylor added a comment -

        I'd recommend you implement your own login page if you want to do this and make sure the page is also loaded over https. That way you have full control over the URL. DefaultLoginPageGeneratingFilter is mainly intended for getting simple prototypes or examples up and running. The login-processing-url attribute is used to configure the UsernamePasswordAuthenticationFilter (it sets a property on AbstractAuthenticationProcessingFilter), so its primary purpose isn't actually related to rendering the login page.

        Show
        Luke Taylor added a comment - I'd recommend you implement your own login page if you want to do this and make sure the page is also loaded over https. That way you have full control over the URL. DefaultLoginPageGeneratingFilter is mainly intended for getting simple prototypes or examples up and running. The login-processing-url attribute is used to configure the UsernamePasswordAuthenticationFilter (it sets a property on AbstractAuthenticationProcessingFilter), so its primary purpose isn't actually related to rendering the login page.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Scott Murphy
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: