SEC-1517: Proper returnToUrlParameters cannot be set easily for OpenIDAuthenticationFilter #1758

spring-issuemaster opened this Issue Jul 14, 2010 · 3 comments

1 participant


Rostislav Hristov (Migrated from SEC-1517) said:

The default implementation of the "returnToUrlParameters" doesn't take into consideration the "targetUrlParameter" property of the AbstractAuthenticationTargetUrlRequestHandler class. This basically breaks the ability to specify a dynamic landing page after a successful login.

In the "returnToUrlParameters" should be something like:

if (returnToUrlParameters.isEmpty() &&
getRememberMeServices() instanceof AbstractRememberMeServices&&
getSuccessHandler() instanceof AbstractAuthenticationTargetUrlRequestHandler) {
returnToUrlParameters = new HashSet();
returnToUrlParameters.add(((AbstractRememberMeServices) getRememberMeServices()).getParameter());
returnToUrlParameters.add(((AbstractAuthenticationTargetUrlRequestHandler) getSuccessHandler()).getTargetUrlParameter());

This way the default "spring-security-redirect" parameter will become available in the authorization request and it will be later available for consumption.

Additionally it will be great if few more properties are exposed in the Security configuration namespace so that more values can be injected.


Luke Taylor said:

I'd prefer not to do this as it is accounting for a very specific case and the way navigation works with OpenID is always going to be different from a simple login followed by a redirect. You can set the returnToUrlParameters directly on the filter, to include the and you have full control over the URL itself by overriding the buildReturnToUrl() method.


Rostislav Hristov said:

It looks that I can inject the returnToUrlParameters only if I don't use the Security namespace which means that I'll have to replace half of the configuration with plain bean declarations. I will probably end up doing that in order to achieve higher level of customization but overall it will better if this is possible with the simpler namespace config.


Luke Taylor said:

You should normally only need to add two explicit beans - the filter and the entry point.

The namespace is only meant to support basic configuration options. There's a balance to be struck between adding too much functionality and obfuscating what in actually going on.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment