Subscribe for updates on posts
Be the first to read the latest news

How to use the request Referer as the targetUrl when using Acegi Security for Spring

September 7th, 2007 by spostelnicu in Java, General

Suppose that my login form is integrated in another page and I want to return to that page that integrated my login page (so the original page).
How do you do that in ACEGI ?

My solution was to extend the AuthenticationProcessingFilter and add a property named useRefererAsTargetUrl.
If this property is set to true, then the AuthenticationProcessingFilter will redirect to the value of the request Referer header upon successful authentication, unless the targetUrl can be taken from a SavedRequest, (which usually means that the authentication request was caused by an AccessDeniedException or AuthenticationException thrown within the filter chain). If alwaysUseDefaultTargetUrl is also set to true, then the defaultTargetUrl will be used, and this flag will be ignored.
This flag defaults to false, which is the default behaviour of AuthenticationProcessingFilter.

To set it to true, simply use the following Spring configuration:

1
2
3
4
5
6
7
8
<bean id="authenticationProcessingFilter" class="ro.tremend.web.filters.ExtendedAuthenticationProcessingFilter">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="authenticationFailureUrl" value="/#invalid_login"/>
    <property name="defaultTargetUrl" value="/"/>
    <property name="useRefererAsTargetUrl" value="true"/>
    <property name="filterProcessesUrl" value="/web_login_check"/>
    <property name="rememberMeServices" ref="rememberMeServices"/>
</bean>

The source code for the class is as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
public class ExtendedAuthenticationProcessingFilter extends AuthenticationProcessingFilter {
 
    /**
     * If <code>true</code>, will redirect to the value of the request Referer header upon successful authentication,
     * unless the targetUrl can be taken from a {@link org.acegisecurity.ui.savedrequest.SavedRequest}
     * (which usually means that the authentication request was caused by an
     * <code>AccessDeniedException</code> or <code>AuthenticationException</code> thrown within the filter chain).
     * If alwaysUseDefaultTargetUrl is also set to true, then the defaultTargetUrl will be used,
     * and this flag will be ignored.
     * This flag defaults to <code>false</code>, which is the default behaviour of AuthenticationProcessingFilter.
     */
    private boolean useRefererAsTargetUrl = false;
 
    protected String determineTargetUrl(HttpServletRequest request) {
        // Don't attempt to obtain the url from the saved request if
        // alwaysUsedefaultTargetUrl is set
        if (isAlwaysUseDefaultTargetUrl()) {
            return getDefaultTargetUrl();
        }
 
        String targetUrl = obtainFullRequestUrl(request);
 
        if (targetUrl == null && useRefererAsTargetUrl) {
            targetUrl = obtainRequestRefererUrl(request);
        }
 
        if (targetUrl == null) {
            targetUrl = getDefaultTargetUrl();
        }
 
        return targetUrl;
    }
 
    public static String obtainRequestRefererUrl(HttpServletRequest request) {
        return request.getHeader(HttpUtils.HTTP_HEADER_REFERER);
    }
 
    public boolean isUseRefererAsTargetUrl() {
        return useRefererAsTargetUrl;
    }
 
    public void setUseRefererAsTargetUrl(boolean useRefererAsTargetUrl) {
        this.useRefererAsTargetUrl = useRefererAsTargetUrl;
    }
}

Maybe (in a future release of Acegi Security) this feature will simply be integrated in AbstractProcessingFilter, where it belongs…


You might also like

Google Talk in Yahoo Messenger Some time ago, when I first saw the Google Talk gadget is being released, I got this crazy idea of embedding...
Prototype based script for notifying users for unsaved changes when leaving a page It is a common requirement in today's applications to ask for user's confirmation when leaving a page...
AJAX file upload monitoring – monitor your file upload with DWR and commons-fileupload Monitoring your file upload using ajax is a must have for any web 2.0 application. There are already...
Chaining multiple view resolvers in Spring – using two InternalResourceViewResolver Spring allows chaining of multiple view resolvers . However, there are some view resolvers like the ones...
.

One Response

  1. Gavin Garcia Says:

    I hardly ever comment on these articles, but I thought this on deserved a big thankyou

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.