SEC-1869: AuthenticationSuccessHandler and pre-authentication scenarios (i.e. X.509 or J2EE)

[spring-projects-issues]

Luca Cito (Migrated from SEC-1869) said:

Post-login initialization logic implementing AuthenticationSuccessHandler works fine with form-based authentication, as Spring Security's classes come with a setter for such a AuthenticationSuccessHandler. However, pre-authentication scenarios like X.509 or J2EE authentication do not feature such setters out of the box. We had to create our own AuthencationFilter implementations again and again to integrate the AuthenticationSuccessHandler.

The implementation of an ApplicationListener for AuthenticationSuccessEvents is problematic (e.g. neither HttpServletRequest nor HttpServletResponse needed for the RedirectStrategy are accessible).

We would like to provide a patch, integrating AuthenticationFilters for J2EE and X.509 providing such SuccessHandlers.

[spring-projects-issues]

Steffen Ryll said:

While Luca said we are willing to create and provide a patch, we would first like to know if there is substantial interest in it, or project leaders see any reasons against implementing that idea.

[spring-projects-issues]

Steffen Ryll said:

I have submitted a pull request: #69

Please comment there, or here in this issue.

[spring-projects-issues]

Michael Osipov said:

This has been open for a lot of years for a very easy fix. rwinch, can we merge this?

[sryll]

This issue can be closed (can I do that myself?), as the duplicate issue #3389 has been fixed in the meantime.

[rwinch]

Thanks closing this.