1

While implementing spring security with my GWT based web application. I found that. Everything is working fine as expected, except the below fact:

I opened login.jsp and given my valid user login credentials. after submitting, it successfully redirecting to home page. Now when I am editing the URL to login.jsp in the Address bar... surprisingly it is allowing to open my login.jsp but as far my understanding.. it should not allow to go back to login.jsp untill & unless I am logged-in.

May be my security-context.xml file is not correctly configured.

Below is my security-application-context.xml

<?xml version="1.0" encoding="UTF-8"?>

<!-- - Sample namespace-based configuration - -->

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
                        http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
                        http://www.springframework.org/schema/security
                        http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">

    <global-method-security secured-annotations="enabled">
    </global-method-security>

    <beans:bean id="customAuthenticationProcessingFilter"
        class="edu.authentication.CustomAuthenticationProcessingFilter">
        <custom-filter position="AUTHENTICATION_PROCESSING_FILTER" />
        <beans:property name="defaultTargetUrl" value="/Home.html?gwt.codesvr=127.0.0.1:9997" />
        <beans:property name="authenticationFailureUrl" value="/login.jsp?login_error=1" /> 
        <beans:property name="authenticationManager" ref="authenticationManager" />
    </beans:bean>

    <beans:bean id="authenticationProcessingFilterEntryPoint"
        class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
        <beans:property name="loginFormUrl" value="/login.jsp" />
        <beans:property name="forceHttps" value="false" />
    </beans:bean>

    <beans:bean id="customUserDetailsService"
        class="edu.authentication.CustomUserDetailsService">
        <beans:property name="urmService" ref="urmService" />
    </beans:bean>

    <http auto-config="false" entry-point-ref="authenticationProcessingFilterEntryPoint">

    <intercept-url pattern="/login.jsp*" filters="none" />
        <intercept-url pattern="/forgot_password.jsp*" filters="none" />
        <intercept-url pattern="/forgotPasswordServlet.do*" filters="none" />

    <intercept-url pattern="/myApp/**" access="IS_AUTHENTICATED_FULLY"/>
        <intercept-url pattern="/gwt/**" access="IS_AUTHENTICATED_FULLY"/>
        <intercept-url pattern="/*.html" access="IS_AUTHENTICATED_FULLY"/>

    <logout logout-url="/j_spring_security_logout"
            invalidate-session="true" logout-success-url="/login.jsp?loggedout=true"/>
    </http>

    <authentication-manager alias="authenticationManager" />

    <authentication-provider user-service-ref="customUserDetailsService">
        <password-encoder hash="md5" />
    </authentication-provider>

</beans:beans>

Any help/suggestions would be highly appriciable..

Sandy
  • 972
  • 5
  • 15
  • 28
  • I've just answered to [similar question here](http://stackoverflow.com/a/12602395/708434). – Grzegorz Rożniecki Sep 28 '12 at 10:09
  • Just a advice, when posting code snippets, try editing the original package name to hide your real project information. From package name, I guess this configuration is from 'Campaign Management' product of onmobile.com – Adisesha Sep 28 '12 at 12:00
  • possible duplicate of [How to redirect to the homepage if the user accesses the login page after being logged in?](http://stackoverflow.com/questions/12597519/how-to-redirect-to-the-homepage-if-the-user-accesses-the-login-page-after-being) – krock Nov 20 '12 at 05:23

2 Answers2

2

There is nothing built into Spring Security to prevent you from viewing the login page after logging in. You can block the login page from logged in users by adding the following code to the top of your login page.

<%@ taglib prefix='sec' uri='http://www.springframework.org/security/tags' %>
<sec:authorize ifNotGranted="ROLE_ANONYMOUS">
  <% response.sendRedirect("/mainpage.jsp"); %>
</sec:authorize>

The logic is that if the user is not logged in Spring Security will create an anonymous Authentication object for them and provide them with the role of ROLE_ANONYMOUS. So you just check to see if the user has that role, and if they don't you can assume that they are logged in and redirect them to the main page of the application.

Robert Hanson
  • 579
  • 2
  • 7
0

Alternatively you can create a Servlet Filter: 

public class LoginPageFilter implements Filter
{
   public void init(FilterConfig filterConfig) throws ServletException   {
   }

   public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse,   FilterChain filterChain) throws IOException, ServletException
   {
       HttpServletRequest request = (HttpServletRequest) servletRequest;
       HttpServletResponse response = (HttpServletResponse) servletResponse;

       if(request.getUserPrincipal() != null){ //If user is already authenticated
           response.sendRedirect("");// or, forward using RequestDispatcher
       } else{
           filterChain.doFilter(servletRequest, servletResponse);
       }
   }

   public void destroy() {
   }
}

web.xml:

LoginPageFilter com.xxx.xx.LoginPageFilter 

<filter-mapping>
    <filter-name>LoginPageFilter</filter-name>
    <url-pattern>/login</url-pattern>
</filter-mapping>
Ümit
  • 17,379
  • 7
  • 55
  • 74