Spring Security
  1. Spring Security
  2. SEC-1724

Save the original request URL before redirecting to an invalidSessionUrl

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Won't Fix
    • Affects Version/s: 3.1.0.RC1
    • Fix Version/s: 3.1.0.RC3
    • Component/s: Web
    • Labels:
      None

      Description

      Upon redirecting to a configured invalidSessionUrl SessionManagagementFilter currently does not save the original request URL to the RequestCache. If the invalidSessionUrl ultimately routes the user through a successful authentication, the SavedRequestAwareAuthenticationSuccessHandler can only redirect the user to the defaultTargetUrl.

      See the linked forum reference for more details and a more specific use case.

      Git merge request forthcoming...

        Issue Links

          Activity

          Show
          Ian Brandt added a comment - Merge request posted: http://git.springsource.org/spring-security/spring-security/merge_requests/2
          Hide
          Luke Taylor added a comment -

          Thanks for the patch. To be honest, I don't really like having the invalid-session stuff directly in the SessionManagagementFilter. I'd prefer to introduce an additional strategy which would handle this sort of thing and could encapsulate additional behaviour such as the use of the RequestCache. I will look into doing that prior to 3.1.

          Show
          Luke Taylor added a comment - Thanks for the patch. To be honest, I don't really like having the invalid-session stuff directly in the SessionManagagementFilter. I'd prefer to introduce an additional strategy which would handle this sort of thing and could encapsulate additional behaviour such as the use of the RequestCache. I will look into doing that prior to 3.1.
          Hide
          Ian Brandt added a comment -

          Perfect. My patch definitely has a single responsibility principle violation smell to it. As a newcomer I wasn't about to propose new API just to solve my specific issue, but if you think the additional strategy makes sense I couldn't agree more.

          Show
          Ian Brandt added a comment - Perfect. My patch definitely has a single responsibility principle violation smell to it. As a newcomer I wasn't about to propose new API just to solve my specific issue, but if you think the additional strategy makes sense I couldn't agree more.
          Hide
          Luke Taylor added a comment -

          I've completed work on SEC-1754, which should allow you to plug in your own custom behaviour when an invalid session Id is detected.

          Show
          Luke Taylor added a comment - I've completed work on SEC-1754 , which should allow you to plug in your own custom behaviour when an invalid session Id is detected.

            People

            • Assignee:
              Luke Taylor
              Reporter:
              Ian Brandt
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: