Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-1517: Proper returnToUrlParameters cannot be set easily for OpenIDAuthenticationFilter #1758

spring-projects-issues opened this issue Jul 14, 2010 · 3 comments


Copy link

@spring-projects-issues spring-projects-issues commented Jul 14, 2010

Rostislav Hristov (Migrated from SEC-1517) said:

The default implementation of the "returnToUrlParameters" doesn't take into consideration the "targetUrlParameter" property of the AbstractAuthenticationTargetUrlRequestHandler class. This basically breaks the ability to specify a dynamic landing page after a successful login.

In the "returnToUrlParameters" should be something like:

if (returnToUrlParameters.isEmpty() &&
getRememberMeServices() instanceof AbstractRememberMeServices&&
getSuccessHandler() instanceof AbstractAuthenticationTargetUrlRequestHandler) {
returnToUrlParameters = new HashSet();
returnToUrlParameters.add(((AbstractRememberMeServices) getRememberMeServices()).getParameter());
returnToUrlParameters.add(((AbstractAuthenticationTargetUrlRequestHandler) getSuccessHandler()).getTargetUrlParameter());

This way the default "spring-security-redirect" parameter will become available in the authorization request and it will be later available for consumption.

Additionally it will be great if few more properties are exposed in the Security configuration namespace so that more values can be injected.

Copy link

@spring-projects-issues spring-projects-issues commented Jul 26, 2010

Luke Taylor said:

I'd prefer not to do this as it is accounting for a very specific case and the way navigation works with OpenID is always going to be different from a simple login followed by a redirect. You can set the returnToUrlParameters directly on the filter, to include the and you have full control over the URL itself by overriding the buildReturnToUrl() method.

Copy link

@spring-projects-issues spring-projects-issues commented Jul 28, 2010

Rostislav Hristov said:

It looks that I can inject the returnToUrlParameters only if I don't use the Security namespace which means that I'll have to replace half of the configuration with plain bean declarations. I will probably end up doing that in order to achieve higher level of customization but overall it will better if this is possible with the simpler namespace config.

Copy link

@spring-projects-issues spring-projects-issues commented Jul 30, 2010

Luke Taylor said:

You should normally only need to add two explicit beans - the filter and the entry point.

The namespace is only meant to support basic configuration options. There's a balance to be struck between adding too much functionality and obfuscating what in actually going on.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant