How to redirect to the homepage if the user accesses the login page after being logged in?

by

I’ve checked the topic more deeply than last time and found that you have to determine if user is authenticated by yourself in controller. Row Winch (Spring Security dev) says here:

Spring Security is not aware of the internals of your application
(i.e. if you want to make your login page flex based upon if the user
is logged in or not). To show your home page when the login page is
requested and the user is logged in use the SecurityContextHolder in
the login page (or its controller) and redirect or forward the user to
the home page.

So solution would be determining if user requesting /auth/login is anonymous or not, something like below.

applicationContext-security.xml:

<http auto-config="true" use-expressions="true"
        access-decision-manager-ref="accessDecisionManager">
    <intercept-url pattern="/auth/login" access="permitAll" />
    <intercept-url pattern="/auth/logout" access="permitAll" />
    <intercept-url pattern="/admin/**" access="ADMINISTRATIVE_ACCESS" />
    <intercept-url pattern="/**" access="XYZ_ACCESS" />

    <form-login login-page="/auth/login"
        authentication-failure-url="/auth/loginFailed"
        authentication-success-handler-ref="authenticationSuccessHandler" />
    <logout logout-url="/auth/logout" logout-success-url="/auth/login" />
</http>

<beans:bean id="defaultTargetUrl" class="java.lang.String">
    <beans:constructor-arg value="/content" />
</beans:bean>

<beans:bean id="authenticationTrustResolver"
        class="org.springframework.security.authentication.AuthenticationTrustResolverImpl" />

<beans:bean id="authenticationSuccessHandler"
        class="com.example.spring.security.MyAuthenticationSuccessHandler">
    <beans:property name="defaultTargetUrl" ref="defaultTargetUrl" />
</beans:bean>

Add to applicationContext.xml bean definition:

<bean id="securityContextAccessor"
    class="com.example.spring.security.SecurityContextAccessorImpl" />

which is class

public final class SecurityContextAccessorImpl
      implements SecurityContextAccessor {

  @Autowired
  private AuthenticationTrustResolver authenticationTrustResolver;

  @Override
  public boolean isCurrentAuthenticationAnonymous() {
    final Authentication authentication =
        SecurityContextHolder.getContext().getAuthentication();
    return authenticationTrustResolver.isAnonymous(authentication);
  }
}

implementing simple interface

public interface SecurityContextAccessor {
  boolean isCurrentAuthenticationAnonymous();
}

(SecurityContextHolder accessing code is decoupled from controller, I followed suggestion from this answer, hence SecurityContextAccessor interface.)

And last but not least redirect logic in controller:

@Controller
@RequestMapping("/auth")
public class AuthController {
  @Autowired
  SecurityContextAccessor securityContextAccessor;

  @Autowired
  @Qualifier("defaultTargetUrl")
  private String defaultTargetUrl;

  @RequestMapping(value = "/login", method = RequestMethod.GET)
  public String login() {
    if (securityContextAccessor.isCurrentAuthenticationAnonymous()) {
      return "login";
    } else {
      return "redirect:" + defaultTargetUrl;
    }
  }
}

Defining defaultTargetUrl String bean seems like a hack, but I don’t have better way not to hardcode url… (Actually in our project we use <util:constant> with class containing static final String fields.) But it works after all.

More Related Contents:

  1. Spring Security : Multiple HTTP Config not working
  2. How to fix role in Spring Security?
  3. Spring security CORS Filter
  4. How to create custom methods for use in spring security expression language annotations
  5. Spring Security Configuration – HttpSecurity vs WebSecurity
  6. Configuring Spring Security 3.x to have multiple entry points
  7. Spring Boot 2.0.x disable security for certain profile
  8. How to manage exceptions thrown in filters in Spring?
  9. Difference between Role and GrantedAuthority in Spring Security
  10. Disable Spring Security for OPTIONS Http Method
  11. Logging user activity in web app
  12. RESTful Authentication via Spring
  13. Multiple WebSecurityConfigurerAdapters: JWT authentication and form login in spring security
  14. HttpSecurity, WebSecurity and AuthenticationManagerBuilder
  15. How to check “hasRole” in Java Code with Spring Security?
  16. Spring webSecurity.ignoring() doesn’t ignore custom filter
  17. Multiple WebSecurityConfigurerAdapter in spring boot for multiple patterns
  18. Spring Security, secured and none secured access
  19. Spring Security 5 : There is no PasswordEncoder mapped for the id “null”
  20. Spring Security multiple url ruleset not working together
  21. JAAS for human beings
  22. How to use new PasswordEncoder from Spring Security
  23. Spring security added prefix “ROLE_” to all roles name?
  24. Why this Spring application with java-based configuration don’t work properly
  25. How do I disable resolving login parameters passed as url parameters / from the url
  26. Single role multiple IP addresses in Spring Security configuration
  27. Disabling a filter for only a few paths
  28. How to secure REST API with Spring Boot and Spring Security?
  29. Why BCryptPasswordEncoder from Spring generate different outputs for same input?
  30. Cross-Origin Resource Sharing with Spring Security

Leave a Comment