Home/ Questions/Q 8992461
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T22:57:36+00:00

In my grails app I have customized the post authorization workflow by writing a

  • 0

In my grails app I have customized the post authorization workflow by writing a custom auth success handler (in resources.groovy) as shown below. 

authenticationSuccessHandler (MyAuthSuccessHandler) {
    def conf = SpringSecurityUtils.securityConfig
    requestCache = ref('requestCache')
    defaultTargetUrl = conf.successHandler.defaultTargetUrl
    alwaysUseDefaultTargetUrl = conf.successHandler.alwaysUseDefault
    targetUrlParameter = conf.successHandler.targetUrlParameter
    useReferer = conf.successHandler.useReferer
    redirectStrategy = ref('redirectStrategy')
    superAdminUrl = "/admin/processSuperAdminLogin"
    adminUrl = "/admin/processAdminLogin"
    userUrl = "/admin/processUserLogin"
}

As you can from the last three lines in the closure above, depending on the Role granted to the logging in User I am redirecting her to separate actions within the AdminController where a custom UserSessionBean is created and stored in the session.

It works fine for a regular login case which in my app is like so:

  1. User comes to the app via either http://localhost:8080/my-app/ OR http://localhost:8080/my-app/login/auth
  2. She enters her valid login id and password and proceeds.
  3. The app internally accesses MyAuthSuccessHandler which redirects to AdminController considering the Role granted to this User.
  4. The UserSessionBean is created and stored it in the session
  5. User is taken to the app home page

I have also written a custom MyUserDetailsService by extending GormUserDetailsService which is correctly accessed in the above flow.

PROBLEM SCENARIO:
Consider a user directly accessing a protected resource (in this case the controller is secured with @Secured annotation) within the app.

  1. User clicks http://localhost:8080/my-app/inbox/index
  2. App redirects her to http://localhost:8080/my-app/login/auth
  3. User enters her valid login id and password
  4. User is taken to http://localhost:8080/my-app/inbox/index

The MyAuthSuccessHandler is skipped entirely in this process and hence my UserSessionBean is not created leading to errors upon further use in places where the UserSessionBean is accessed.

QUESTIONS:

  1. In the problem scenario, does the app skip the MyAuthSuccessHandler because there is a target URL for it to redirect to upon login?
  2. Can we force the process to always pass through MyAuthSuccessHandler even with the target URL present?
  3. If the answer to 2 is no, is there an alternative as to how and where the UserSessionBean can still be created?
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You can implement a customized eventListener to handle the post-login process, without disrupting the original user requested url.

    In config.groovy, insert a config item:

    grails.plugins.springsecurity.useSecurityEventListener = true

    In you resources.groovy, add a bean like this:

    import com.yourapp.auth.LoginEventListener
beans = {
    loginEventListener(LoginEventListener)
}

    And create a eventListener in src/groovy like this:

    package com.yourapp.auth
import org.springframework.context.ApplicationListener;
import org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent
import org.springframework.web.context.request.RequestContextHolder as RCH

class LoginEventListener implements
    ApplicationListener<InteractiveAuthenticationSuccessEvent> {    

    //deal with successful login    
    void onApplicationEvent(InteractiveAuthenticationSuccessEvent event) {
        User.withTransaction { 
            def user = User.findByUsername(event.authentication.principal.username)
                    def adminRole = Role.findByAuthority('ROLE_ADMIN')
                    def userRole = Role.findByAuthority('ROLE_USER')
                    def session = RCH.currentRequestAttributes().session      //get httpSession
                    session.user = user
                    if(user.authorities.contains(adminRole)){
                        processAdminLogin()
                    }
                    else if(user.authorities.contains(userRole)){
                        processUserLogin()
                    }
        }
    }

    private void processAdminLogin(){    //move admin/processAdminLogin here
          .....
    }

    private void processUserLogin(){    //move admin/processUserLogin here
          .....
    }
}

    Done.

    • 0