I’m retrofitting my application with GWT History support, and I’ve stumbled on a case where I’m not quite sure what to do. The answer to this question doesn’t necessarily have to be GWT-related.
GWT’s History support functions by passing around hash tags (i.e. index.html#token). Security restrictions require users be logged in prior to actually being able to access index.html, so they get sent over to a login page, retaining the token (login.html#token). So far, so good. Now the user becomes authenticated and Spring sends them over to index.html (the default target) and eliminates the #token part of the URL.
How can I force Spring Security to maintain the token and send my newly authenticated user to the page they requested (index.html#token)? Since I’ve already got Spring Security authentication working, I’d prefer to not restructure the way my app handles logins.
After a great deal of digging, I found my answer on Spring’s Jira. As Colin Alworth stated, that token isn’t actually part of the request, so Spring Security never sees it server-side, and thus can’t use it to determine the final URL. So the approach I used was to append the hash (client-side) to
j_spring_security_check, making itj_spring_security_check#token. Now the token gets passed along just fine, allowing me to have a well-secured app with working tokens.Thanks for your help Colin, your answer got me thinking in the right direction.