Spring Security authenticationSuccessHandler and j_security_check

4.1k views Asked by At

I am having an issue that is very strange to me so maybe someone can help. Inside my security.xml I have this:

<http auto-config="true">
    <intercept-url pattern="/app/admin/**" access="ROLE_ADMIN"/>
    <intercept-url pattern="/app/**" access="ROLE_ADMIN,ROLE_USER"/>
    <form-login login-page="/login" authentication-failure-url="/login?error=true" login-processing-url="/j_security_check" authentication-success-handler-ref="authSuccessHandler"/>
    <remember-me user-service-ref="userDao" key="e37f4b31-0c45-11dd-bd0b-0800200c9a66" authentication-success-handler-ref="authSuccessHandler"/>
</http>

Everything was working fine until I added: authentication-success-handler-ref="authSuccessHandler", which is simple and looks like this:

        @Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
    logger.info("authenticated");
    User user = userManager.getUserByUsername(request.getRemoteUser());
    Hibernate.initialize(user.getMessagesList());
    request.getSession(true).setAttribute("userMessages", user.getMessagesList());
}

Now that all works completely fine, the issue now is that on every login or rememberMe login the first page accessed is ALWAYS blank no matter the url. And on a normal login the page that comes up blank is /j_security_check so it seems like something is not getting processed because of my success handler, as expected when removing the handler everything works fine. Am I missing something here? please help me out.

1

There are 1 answers

2
M. Deinum On BEST ANSWER

Normally when you don't explicitly configure an AuthenticationSuccessHandler spring configures a SavedRequestAwareAuthenticationSuccessHandler for you for handling the success case. What it does is after successful authentication sends the user to the initially requested URL (or when specified and forced to the default page specified in the configuration).

Your custom implementation does no such thing it only sets something on the session and is done, it doesn't send anything back to the client. What you probably want is to extend the SavedRequestAwareAuthenticationSuccessHandler do your thing and then call super.onAuthenticationSuccess