Home/ Questions/Q 8350507
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-09T08:20:27+00:00

I’m using Spring Security 3.1 and I wanted to obtain the parameter coming from

  • 0

I’m using Spring Security 3.1 and I wanted to obtain the parameter coming from the URL BEFORE the user logs in. So I’m expecting the user that´s accessing my login page to send me a redir parameter (containing the URL he wants go to after he´s authenticated). When I request the page, not when I try to submit the form to log in.

For example: localhost/myApp?redir=my.app.com/custom

How can I get the redir param from URL?

I’ve tried several things, including overriding SimpleUrlAuthenticationSuccessHandler and calling request.getParameter(“redir”) but it returns null. I’ve also tried implementing my own filter UsernamePasswordAuthenticationFilter and calling getParameter() on attemptAuthentication, but returns null.

UPDATE for additional info:
My login page is fairly simple, basically: A form calling /j_spring_security_check via POST method (with j_username and j_password parameters).

My authentication provider implements AuthenticationManager, so the Authentication object is returned with the authorization list, user, password after the user has authenticated.

I also implemented SimpleUrlAuthenticationSuccessHandler and the method onAuthenticationSuccess() would check his permissions and if authenticated and permissioned, the user would be redirected to the page he informed on URL (now, when I try to call request.getParemeter(“redir”) on this method, I get null.

public class GetURLFilter extends UsernamePasswordAuthenticationFilter{
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
        throws AuthenticationException {

    String paginaRedirecionar = request.getParameter("redir");
    request.getSession().setAttribute("redirecionamento", paginaRedirecionar);

    return super.attemptAuthentication(request, response);
}
}

<bean id="authenticationFilter"
    class="com.uolinc.adm.security.GetURLFilter"
    p:authenticationManager-ref="radiusAuthenticationManager"
    p:authenticationFailureHandler-ref="radiusAuthenticationFailureHandler"
    p:authenticationSuccessHandler-ref="radiusAuthenticationSuccessHandler" />

<security:http auto-config="false"
    use-expressions="true"
    access-denied-page="/auth/denied" entry-point-ref="authenticationEntryPoint"
    disable-url-rewriting="true"
    access-decision-manager-ref="accessDecisionManager">

    <security:logout logout-url="/auth/logout" logout-success-url="/auth/login" />

    <security:custom-filter position="FORM_LOGIN_FILTER" ref="authenticationFilter" />
</security:http>

Thank you

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    UsernamePasswordAuthenticationFilter and SimpleUrlAuthenticationSuccessHandler are called during the submission of the login form, which is a different request from the one which renders the form. So a parameter which was present during the request for the form will not be present when you submit the form. You would need to cache the parameter in the session or add it to the login form as a hidden parameter to be re-submitted with the normal login parameters (so that it will be available to your AuthenticationSuccessHandler).

    Note that using client supplied data for a redirect in this way is risky unless you have some sort of validation in place (e.g. checking that the URL is within your app). Otherwise an attacker can supply a URL which links to a malicious site and probably be able to hijack the authenticated session or perform operations on the secured site without the user’s knowledge.

    • 0