Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Spring Security Default Target URL

DZone's Guide to

Spring Security Default Target URL

· Java Zone
Free Resource

Learn how to troubleshoot and diagnose some of the most common performance issues in Java today. Brought to you in partnership with AppDynamics.

Just a quick note to self on Spring Security Default Target URLs. In one of my recent projects, I noticed that suddenly my Spring Security based login does not use the specified default target url in the configuration. Instead, it was hitting the root of the application always. This application was working perfectly fine until recently, and default target URL has not been changed since.

The Spring Security definition was:

<security:http auto-config="true">
   <security:intercept-url 
      pattern="/!/signin" 
      access="IS_AUTHENTICATED_ANONYMOUSLY" />
   <security:intercept-url 
      pattern="/!/**" 
      access="ROLE_LOGIN" />
   <security:form-login 
      login-page="/!/signin"
      default-target-url="/!/"
      login-processing-url="/!/authenticate" 
      authentication-failure-url="/!/signin#failed"
      authentication-success-handler-ref="authenticationSuccessHandler" />
   <security:logout logout-url="/!/signout" logout-success-url="/!/signin" />
</security:http>

After debugging through Spring Security code, I noticed that the defaultTargetURL of AbstractAuthenticationTargetUrlRequestHandler is not set to my value, but it uses the default ‘/’. Then after some digging up, it turned out that I’ve added a new Authentication Success Handler to my definition for a different purpose, and when an authentication-success-handler-ref is present in the configuration, the ‘default-target-url’ element in XML configuration is not used.

To fix this, the solution was  to specify the default target URL on my authentication success handler bean as follows.

<bean id="authenticationSuccessHandler" 
   class="com.xyz.PlatformAuthenticationSuccessHandler">
   <property name="defaultTargetUrl" value="/!/" />
</bean>

The reason behind this is, the value we provide on the XML configuration goes to the default authentication success handler only. When we define our own, that value goes no where, so we need to specify it manually on the bean itself. This ate up about 15 mins of my time, before luckily noticing that the success handler change was the reason.

Understand the needs and benefits around implementing the right monitoring solution for a growing containerized market. Brought to you in partnership with AppDynamics.

Topics:

Published at DZone with permission of Yohan Liyanage, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}