Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1276: The login form controller/servlet inside of spring security does not spring-security-redirect on failed login attempt #1526

spring-issuemaster opened this Issue Oct 25, 2009 · 2 comments


None yet
1 participant

Ken Egervari (Migrated from SEC-1276) said:

I'm having trouble getting spring-security-redirect to work if they fail to login.

I use a hidden input to pass "spring-security-redirect" post parameter to the /j_spring_security_check action, like this:


        <input type="hidden" name="spring-security-redirect"
               value="${RequestParameters["previousUrl"]!}" />

Now, this works fine if they login correctly the first time. Upon successive attempts, this obviously won't work.

Where does Spring security expose this value when it bounces back to the form? I've tried "SPRING_SECURITY_REDIRECT" model data... like the same type as the other SPRING_SECURITY_* variables... but it's not there. I've tried a whole bunch of other combinations as well, like "spring_security_redirect", "j_redirect", or "_spring_security_redirect".

Part of the problem that makes this difficult is that it is:

  1. Poorly documented compared to everything else in the framework - merely relying on a single jsp example (and some people don't even use jsp...)

  2. There is a lack of naming conventions. My login view is cluttered with all sorts of j_ this, SPRING_SECURITY_* that. Some fields start with "_". It's a little mind-boggling and it's hard to intuitively guess what I should do.

What do I need to do to have my form "remember" the passed in url? I can't find it anywhere in the documentation and I've searched google for examples. What I have already - just knowing about spring-security-redirect - is the best I've been able to do.


Luke Taylor said:

The redirect parameter was introduced for SEC-213. That is all. The functionality is now part of the class AbstractAuthenticationTargetUrlRequestHandler.

I don't understand the rest of your post - you seem to be assuming some kind of behaviour which doesn't exist and then attempting to guess the names of attributes which might contain the value of this parameter???

Luke Taylor said:

Not a bug.

@spring-issuemaster spring-issuemaster added this to the 3.0.0.RC2 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment