After login successfully using Spring MVC still I can came back to login page

Question

I'm first time implementing a web application using Java and Spring MVC. I also implemented login functionality for it. But, I'm facing a issue in that.

Issue: After successfully login my pare redirects to the target page but if I type the login page in browser then it displays login page again though the session is active.

Ideally it should go to the default target page. Bellow is my XML setting file. Thanks for any help in advance.

XML Config:

<http pattern="/resources/**" security="none" />
<http pattern="/admin/login" security="none" />
<http pattern="/admin/login/failed" security="none" />
<http pattern="/admin/login/invalidsession" security="none" />

<http auto-config="true"  use-expressions="false">
 <intercept-url pattern="/admin/**" access="ROLE_USER" />
 <form-login login-page="/admin/login" default-target-url="/admin/student" authentication-failure-url="/admin/login/failed" />
 <logout logout-success-url="/admin/login" delete-cookies="JSESSIONID" />
 <session-management session-fixation-protection="newSession" invalid-session-url="/admin/login/invalidsession">
        <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
    </session-management>
</http>

<authentication-manager alias="authenticationManager">
 <authentication-provider>
  <user-service>
   <user name="roul" password="roul" authorities="ROLE_USER" />
  </user-service>
 </authentication-provider>
</authentication-manager>

ANSWER:

After getting suggestions from jgr and Paul finally I able get it done. Here I had to modify my XML config as I had made login pages as security "none". So while getting authentication type for that page using below code :

Authentication auth = SecurityContextHolder.getContext().getAuthentication();

Then I was getting null. So to avoid it I had to change the XML settings as below.

Updated XML Config:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.springframework.org/schema/security
                           http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <security:global-method-security secured-annotations="enabled" />
    
    <security:http auto-config="true">
        <!-- Restrict URLs based on role -->
        <security:intercept-url pattern="/admin/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/admin/login/failed" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/admin/login/invalidsession" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />

        <security:intercept-url pattern="/admin/**" access="ROLE_USER" />

        <!-- Override default login and logout pages -->
        <security:form-login login-page="/admin/login"
                             default-target-url="/admin/student" 
                             authentication-failure-url="/admin/login/failed" />
        <security:logout logout-success-url="/admin/login" delete-cookies="JSESSIONID" />
        <security:session-management session-fixation-protection="newSession" invalid-session-url="/admin/login/invalidsession">
         <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
     </security:session-management>
    </security:http>

    <security:authentication-manager>
        <security:authentication-provider>
   <security:user-service>
    <security:user name="roul" password="roul" authorities="ROLE_USER" />
   </security:user-service>
  </security:authentication-provider>
    </security:authentication-manager>

</beans>

NOTE: I have referred following URL: http://www.springbyexample.org/examples/simple-spring-security-webapp-spring-config.html

Answer 1

Just add some code to your "/admin/login" controller where you check if user is logged in.

    Authentication auth = SecurityContextHolder.getContext().getAuthentication();

    if (!(auth instanceof AnonymousAuthenticationToken))
    {
        return "redirect:/admin/student";
    }

Answer 2

You can accomplish this using an authenticationsuccesshandler =

This post explains How to redirect to the homepage if the user accesses the login page after being logged in?

<beans:bean id="authenticationSuccessHandler"
    class="com.example.spring.security.MyAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" ref="defaultTargetUrl" />

Spring Security - Redirect if already logged in

Answer 3

Configure remember me in your app using spring security http config http://docs.spring.io/spring-security/site/docs/3.2.6.RELEASE/reference/htmlsingle/#remember-me

<http>
  ...
  <remember-me key="myAppKey"/>
</http>