Spring security without redirection
I have a Spring security implementation that is stateless and uses token based authentication. Most of my logic is inside a class that extends AbstractAuthenticationProcessingFilter. My problem is that after successfully authenticating, AbstractAuthenticationProcessingFilter does a 302 redirect, which I don't want. I just want the original request to complete. How do I get around this?
+3
source to share
1 answer
I managed to make a "login" rest method exposed with spring security to return "200 OK" rather than "302 Redirect" by overriding the success and failure handler. The code below shows how to achieve the same.
//configure http by using the successHandler
//and failure handler methods
http.
formLogin()
.loginPage("/authentication/login")
.loginProcessingUrl("/authentication/processLogin")
.successHandler(successHandler())
.failureHandler(failureHandler())
.and()
......
private AuthenticationFailureHandler failureHandler() {
return new SimpleUrlAuthenticationFailureHandler() {
public void onAuthenticationFailure(HttpServletRequest request,
HttpServletResponse response, AuthenticationException exception)
throws IOException, ServletException {
response.setContentType("text/html;charset=UTF-8");
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authentication Failed. Wrong username or password or both");
}
};
}
private AuthenticationSuccessHandler successHandler() {
return new SimpleUrlAuthenticationSuccessHandler() {
public void onAuthenticationSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication authentication)
throws IOException, ServletException {
response.setContentType("text/html;charset=UTF-8");
HttpSession session = request.getSession(false);
session.setMaxInactiveInterval(60*180);
response.getWriter().println("LoginSuccessful");
}
};
}
+3
source to share