How to use the request Referer as the targetUrl when using Acegi Security for Spring
September 7th, 2007 by 
spostelnicu
Suppose that my login form is integrated in another page and I want to return to that page that integrated my login page (so the original page).
How do you do that in ACEGI ?
My solution was to extend the AuthenticationProcessingFilter and add a property named useRefererAsTargetUrl.
If this property is set to true, then the AuthenticationProcessingFilter will redirect to the value of the request Referer header upon successful authentication, unless the targetUrl can be taken from a SavedRequest, (which usually means that the authentication request was caused by an AccessDeniedException or AuthenticationException thrown within the filter chain). If alwaysUseDefaultTargetUrl is also set to true, then the defaultTargetUrl will be used, and this flag will be ignored.
This flag defaults to false, which is the default behaviour of AuthenticationProcessingFilter.
To set it to true, simply use the following Spring configuration:
1 2 3 4 5 6 7 8 | <bean id="authenticationProcessingFilter" class="ro.tremend.web.filters.ExtendedAuthenticationProcessingFilter"> <property name="authenticationManager" ref="authenticationManager"/> <property name="authenticationFailureUrl" value="/#invalid_login"/> <property name="defaultTargetUrl" value="/"/> <property name="useRefererAsTargetUrl" value="true"/> <property name="filterProcessesUrl" value="/web_login_check"/> <property name="rememberMeServices" ref="rememberMeServices"/> </bean> |
The source code for the class is as follows:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 | public class ExtendedAuthenticationProcessingFilter extends AuthenticationProcessingFilter { /** * If <code>true</code>, will redirect to the value of the request Referer header upon successful authentication, * unless the targetUrl can be taken from a {@link org.acegisecurity.ui.savedrequest.SavedRequest} * (which usually means that the authentication request was caused by an * <code>AccessDeniedException</code> or <code>AuthenticationException</code> thrown within the filter chain). * If alwaysUseDefaultTargetUrl is also set to true, then the defaultTargetUrl will be used, * and this flag will be ignored. * This flag defaults to <code>false</code>, which is the default behaviour of AuthenticationProcessingFilter. */ private boolean useRefererAsTargetUrl = false; protected String determineTargetUrl(HttpServletRequest request) { // Don't attempt to obtain the url from the saved request if // alwaysUsedefaultTargetUrl is set if (isAlwaysUseDefaultTargetUrl()) { return getDefaultTargetUrl(); } String targetUrl = obtainFullRequestUrl(request); if (targetUrl == null && useRefererAsTargetUrl) { targetUrl = obtainRequestRefererUrl(request); } if (targetUrl == null) { targetUrl = getDefaultTargetUrl(); } return targetUrl; } public static String obtainRequestRefererUrl(HttpServletRequest request) { return request.getHeader(HttpUtils.HTTP_HEADER_REFERER); } public boolean isUseRefererAsTargetUrl() { return useRefererAsTargetUrl; } public void setUseRefererAsTargetUrl(boolean useRefererAsTargetUrl) { this.useRefererAsTargetUrl = useRefererAsTargetUrl; } } |
Maybe (in a future release of Acegi Security) this feature will simply be integrated in AbstractProcessingFilter, where it belongs…
Posted in Java, General | 
No Comments »