Package org.springframework.security.web.authentication

Class AbstractAuthenticationTargetUrlRequestHandler

  • Direct Known Subclasses:
    SimpleUrlAuthenticationSuccessHandler, SimpleUrlLogoutSuccessHandler
    public abstract class AbstractAuthenticationTargetUrlRequestHandler
extends java.lang.Object
    Base class containing the logic used by strategies which handle redirection to a URL and are passed an Authentication object as part of the contract. See AuthenticationSuccessHandler and LogoutSuccessHandler, for example.

    Uses the following logic sequence to determine how it should handle the forward/redirect

    • If the alwaysUseDefaultTargetUrl property is set to true, the defaultTargetUrl property will be used for the destination.
    • If a parameter matching the value of targetUrlParameter has been set on the request, the value will be used as the destination. If you are enabling this functionality, then you should ensure that the parameter cannot be used by an attacker to redirect the user to a malicious site (by clicking on a URL with the parameter included, for example). Typically it would be used when the parameter is included in the login form and submitted with the username and password.
    • If the useReferer property is set, the "Referer" HTTP header value will be used, if present.
    • As a fallback option, the defaultTargetUrl value will be used.
    Since:
    3.0

    • Field Summary

      Fields 
      Modifier and Type Field Description
      protected org.apache.commons.logging.Log logger  

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected java.lang.String determineTargetUrl​(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
      Builds the target URL according to the logic defined in the main class Javadoc.
      protected java.lang.String determineTargetUrl​(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication authentication)
      Builds the target URL according to the logic defined in the main class Javadoc
      protected java.lang.String getDefaultTargetUrl()
      Supplies the default target Url that will be used if no saved request is found or the alwaysUseDefaultTargetUrl property is set to true.
      protected RedirectStrategy getRedirectStrategy()  
      protected java.lang.String getTargetUrlParameter()  
      protected void handle​(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication authentication)
      Invokes the configured RedirectStrategy with the URL returned by the determineTargetUrl method.
      protected boolean isAlwaysUseDefaultTargetUrl()  
      void setAlwaysUseDefaultTargetUrl​(boolean alwaysUseDefaultTargetUrl)
      If true, will always redirect to the value of defaultTargetUrl (defaults to false).
      void setDefaultTargetUrl​(java.lang.String defaultTargetUrl)
      Supplies the default target Url that will be used if no saved request is found in the session, or the alwaysUseDefaultTargetUrl property is set to true.
      void setRedirectStrategy​(RedirectStrategy redirectStrategy)
      Allows overriding of the behaviour when redirecting to a target URL.
      void setTargetUrlParameter​(java.lang.String targetUrlParameter)
      If this property is set, the current request will be checked for this a parameter with this name and the value used as the target URL if present.
      void setUseReferer​(boolean useReferer)
      If set to true the Referer header will be used (if available).

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • logger

        protected final org.apache.commons.logging.Log logger

    • Constructor Detail

      • AbstractAuthenticationTargetUrlRequestHandler

        protected AbstractAuthenticationTargetUrlRequestHandler()

    • Method Detail

      • handle

        protected void handle​(javax.servlet.http.HttpServletRequest request,
                      javax.servlet.http.HttpServletResponse response,
                      Authentication authentication)
               throws java.io.IOException,
                      javax.servlet.ServletException
        Invokes the configured RedirectStrategy with the URL returned by the determineTargetUrl method.

        The redirect will not be performed if the response has already been committed.

        Throws:
        java.io.IOException
        javax.servlet.ServletException

      • determineTargetUrl

        protected java.lang.String determineTargetUrl​(javax.servlet.http.HttpServletRequest request,
                                              javax.servlet.http.HttpServletResponse response,
                                              Authentication authentication)
        Builds the target URL according to the logic defined in the main class Javadoc
        Since:
        5.2

      • determineTargetUrl

        protected java.lang.String determineTargetUrl​(javax.servlet.http.HttpServletRequest request,
                                              javax.servlet.http.HttpServletResponse response)
        Builds the target URL according to the logic defined in the main class Javadoc.

      • getDefaultTargetUrl

        protected final java.lang.String getDefaultTargetUrl()
        Supplies the default target Url that will be used if no saved request is found or the alwaysUseDefaultTargetUrl property is set to true. If not set, defaults to /.
        Returns:
        the defaultTargetUrl property

      • setDefaultTargetUrl

        public void setDefaultTargetUrl​(java.lang.String defaultTargetUrl)
        Supplies the default target Url that will be used if no saved request is found in the session, or the alwaysUseDefaultTargetUrl property is set to true. If not set, defaults to /. It will be treated as relative to the web-app's context path, and should include the leading /. Alternatively, inclusion of a scheme name (such as "http://" or "https://") as the prefix will denote a fully-qualified URL and this is also supported.
        Parameters:
        defaultTargetUrl -

      • setAlwaysUseDefaultTargetUrl

        public void setAlwaysUseDefaultTargetUrl​(boolean alwaysUseDefaultTargetUrl)
        If true, will always redirect to the value of defaultTargetUrl (defaults to false).

      • isAlwaysUseDefaultTargetUrl

        protected boolean isAlwaysUseDefaultTargetUrl()

      • setTargetUrlParameter

        public void setTargetUrlParameter​(java.lang.String targetUrlParameter)
        If this property is set, the current request will be checked for this a parameter with this name and the value used as the target URL if present.
        Parameters:
        targetUrlParameter - the name of the parameter containing the encoded target URL. Defaults to null.

      • getTargetUrlParameter

        protected java.lang.String getTargetUrlParameter()

      • setRedirectStrategy

        public void setRedirectStrategy​(RedirectStrategy redirectStrategy)
        Allows overriding of the behaviour when redirecting to a target URL.

      • setUseReferer

        public void setUseReferer​(boolean useReferer)
        If set to true the Referer header will be used (if available). Defaults to false.