Class AbstractAuthenticationTargetUrlRequestHandler
- java.lang.Object
-
- org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler
-
- Direct Known Subclasses:
SimpleUrlAuthenticationSuccessHandler
,SimpleUrlLogoutSuccessHandler
public abstract class AbstractAuthenticationTargetUrlRequestHandler extends java.lang.Object
Base class containing the logic used by strategies which handle redirection to a URL and are passed anAuthentication
object as part of the contract. SeeAuthenticationSuccessHandler
andLogoutSuccessHandler
, for example.Uses the following logic sequence to determine how it should handle the forward/redirect
-
If the
alwaysUseDefaultTargetUrl
property is set to true, thedefaultTargetUrl
property will be used for the destination. -
If a parameter matching the value of
targetUrlParameter
has been set on the request, the value will be used as the destination. If you are enabling this functionality, then you should ensure that the parameter cannot be used by an attacker to redirect the user to a malicious site (by clicking on a URL with the parameter included, for example). Typically it would be used when the parameter is included in the login form and submitted with the username and password. -
If the
useReferer
property is set, the "Referer" HTTP header value will be used, if present. -
As a fallback option, the
defaultTargetUrl
value will be used.
- Since:
- 3.0
-
-
Field Summary
Fields Modifier and Type Field Description protected org.apache.commons.logging.Log
logger
-
Constructor Summary
Constructors Modifier Constructor Description protected
AbstractAuthenticationTargetUrlRequestHandler()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected java.lang.String
determineTargetUrl(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Builds the target URL according to the logic defined in the main class Javadoc.protected java.lang.String
determineTargetUrl(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication authentication)
Builds the target URL according to the logic defined in the main class Javadocprotected java.lang.String
getDefaultTargetUrl()
Supplies the default target Url that will be used if no saved request is found or thealwaysUseDefaultTargetUrl
property is set to true.protected RedirectStrategy
getRedirectStrategy()
protected java.lang.String
getTargetUrlParameter()
protected void
handle(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication authentication)
Invokes the configuredRedirectStrategy
with the URL returned by thedetermineTargetUrl
method.protected boolean
isAlwaysUseDefaultTargetUrl()
void
setAlwaysUseDefaultTargetUrl(boolean alwaysUseDefaultTargetUrl)
Iftrue
, will always redirect to the value ofdefaultTargetUrl
(defaults tofalse
).void
setDefaultTargetUrl(java.lang.String defaultTargetUrl)
Supplies the default target Url that will be used if no saved request is found in the session, or thealwaysUseDefaultTargetUrl
property is set to true.void
setRedirectStrategy(RedirectStrategy redirectStrategy)
Allows overriding of the behaviour when redirecting to a target URL.void
setTargetUrlParameter(java.lang.String targetUrlParameter)
If this property is set, the current request will be checked for this a parameter with this name and the value used as the target URL if present.void
setUseReferer(boolean useReferer)
If set totrue
theReferer
header will be used (if available).
-
-
-
Method Detail
-
handle
protected void handle(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication authentication) throws java.io.IOException, javax.servlet.ServletException
Invokes the configuredRedirectStrategy
with the URL returned by thedetermineTargetUrl
method.The redirect will not be performed if the response has already been committed.
- Throws:
java.io.IOException
javax.servlet.ServletException
-
determineTargetUrl
protected java.lang.String determineTargetUrl(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication authentication)
Builds the target URL according to the logic defined in the main class Javadoc- Since:
- 5.2
-
determineTargetUrl
protected java.lang.String determineTargetUrl(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Builds the target URL according to the logic defined in the main class Javadoc.
-
getDefaultTargetUrl
protected final java.lang.String getDefaultTargetUrl()
Supplies the default target Url that will be used if no saved request is found or thealwaysUseDefaultTargetUrl
property is set to true. If not set, defaults to/
.- Returns:
- the defaultTargetUrl property
-
setDefaultTargetUrl
public void setDefaultTargetUrl(java.lang.String defaultTargetUrl)
Supplies the default target Url that will be used if no saved request is found in the session, or thealwaysUseDefaultTargetUrl
property is set to true. If not set, defaults to/
. It will be treated as relative to the web-app's context path, and should include the leading/
. Alternatively, inclusion of a scheme name (such as "http://" or "https://") as the prefix will denote a fully-qualified URL and this is also supported.- Parameters:
defaultTargetUrl
-
-
setAlwaysUseDefaultTargetUrl
public void setAlwaysUseDefaultTargetUrl(boolean alwaysUseDefaultTargetUrl)
Iftrue
, will always redirect to the value ofdefaultTargetUrl
(defaults tofalse
).
-
isAlwaysUseDefaultTargetUrl
protected boolean isAlwaysUseDefaultTargetUrl()
-
setTargetUrlParameter
public void setTargetUrlParameter(java.lang.String targetUrlParameter)
If this property is set, the current request will be checked for this a parameter with this name and the value used as the target URL if present.- Parameters:
targetUrlParameter
- the name of the parameter containing the encoded target URL. Defaults to null.
-
getTargetUrlParameter
protected java.lang.String getTargetUrlParameter()
-
setRedirectStrategy
public void setRedirectStrategy(RedirectStrategy redirectStrategy)
Allows overriding of the behaviour when redirecting to a target URL.
-
getRedirectStrategy
protected RedirectStrategy getRedirectStrategy()
-
setUseReferer
public void setUseReferer(boolean useReferer)
If set totrue
theReferer
header will be used (if available). Defaults tofalse
.
-
-