According to Doc: http://grails-plugins.github.io/grails-spring-security-core/guide/authentication.html for an Ajax Login, if the request is successful or fails there is a redirect. I am not sure why this redirect is needed for the AJAX world and was wondering if it is possible to turn it off? So that I just get back a success or fail to the Login POST request
You have to add the method "authAjax" at the Login Controller so you can send a different HTTP status code instead of causing the redirect.
Take a look at the section "Securing AJAX requests" here.
See the AJAX Authentication section of the Spring Security plugin docs.
Related
how does it really works?
I wrote a sample app using spring boot with security and thymeleaf.
As [tutorial]: http://www.thymeleaf.org/doc/articles/springsecurity.html shows ones just need to create controller and login page. But...
In security config there is fragment as
loginPage("/login.html")
then in controller there is request mapping for /login like
#RequestMapping("/login.html")
public String login() {
return "login.html";
}
and then in thymeleaf page there is action mapping like
<form th:action="#{/login.html}" method="post">
So..when ones try to access restricted page is redirected to login page which means that login.html is displayed. Then after filling the form user clicks the button and trigger action which is mapped on controller that returns login.html once again. Looks like a loop. But it works. How??
I think I see the confusion here. In recent versions of Spring Security, it is possible and even encouraged by default that the login page and login processing URL are the same address (but they don't need to be). This is possible because of different HTTP methods.
When redirected to login page, the page is retrieved using a GET request. The authentication filter sees this, but passes on the request to Spring MVC and the controller, since it is a GET request.
When submitting the form, the username and password are sent in a POST request. The authentication filter intercepts this request since it is POST, performs the authentication and takes action depending on the result. The request is not forwarded to the controller in this case.
I want to redirect from servlet to jira's dashboard.
What i am trying to do : when the user click create isse and fill all the details and submit, i check if the user with openid, after i check, i need to redirect the user to dashboard or i should be above to redirect to any workflow screen.
I tried the redirect with the following lines.
response.sendRedirect("/Dashboard.jspa");
after the servlet finishes, i want to redirect, i have the HttpServletResponse object. when i use the above redirect method it doesn't redirect.
please help.
I had some trouble with sendRedirect when doing some Confluence development. I opted for a JavaScript solution, although it's probably not what you were hoping for.
Call your servlet using an AJAX request with the required data (onclick of create issue in your case I guess), then if a success status code is received, use window.location.href = "/Dashboard.jspa"; to perform the redirect.
As a workaround, you can use the following code:
String redirectUrl = request.getContextPath() + "/";
response.sendRedirect(redirectUrl);
In this case, the user will be redirected to the default "home" page in Jira (this will not necessarily be Dashboard.jsp, but with default settings it does).
I've tested this code on Jira 7.3.1
i have my own AuthenticationSuccessHandler and overriding method onAuthenticationSuccess, where i need to redirect to some page with parameters from request before authenticate (i hope you understand what i mean, sorry for my english)
getRedirectStrategy().sendRedirect(request, response, targetUrl);
How can i do this with POST method (by default it is GET method)
You may do it without sendRedirect method using HTTP1.1 307 Temporary Redirect status code.
But AFAIK this is not a common practice and not all web browsers may support this.
Maybe server-side forward will suit your case.
Update:
If you want to send POST-redirect using spring-security API you may implement your own RedirectStrategy.
DefaultRedirectStrategy uses response.sendRedirect that will result in 302 response code sending by servlet container (I'm not sure about every container, at least tomcat sends 302).
Update 2:
You may send 307 back setting response status and "Location" header yourself:
resp.setStatus(SC_TEMPORARY_REDIRECT);
resp.setHeader("Location", absoluteRedirectUrl);
User-agent receiving this response must do next request using the same method that was used in previous request. So if first request was POST redirected request also will be POST.
I have an application that is wired with Spring 3.1 authentication. I have some pages which makes AJAX requests to show some information on the dialog. Now, if the user's session has timed out, the Spring redirects to the login page. I don't want an AJAX based login page. I would like the user to be navigated to the login page entirely, by canceling current operation. Once user logs in, navigate user back to the last page where he was (from where the AJAX request was made).
The redirection stuff works fine if the request is made from a page.
The class which performs the redirect to the login page is the LoginUrlAuthenticationEntryPoint. I would write a customized AuthenticationEntryPoint implementation which detects the Ajax request (for example, by looking at the Accept header), and sends an error code instead of performing a redirect.
You'll still have to detect this on the client side though. There's not much Spring Security can do there, but you should be able to reload the current page from Javascript, which will force a login, followed by a redirect to the original page (default Spring Security behaviour).
I'm using ASP.Net MVC beta 1 and I'm using the asp.net membership provider with the standard authentication controller to restrict access to my site.
I'm using ajax functionality to provide e.g. editing of values by loading partial views into a div with either jQuery $.get/$.ajax or with the Ajax.Actionlink MVC helper. This all works fine most of the time.
My problem comes once the login times out and you click on one of the ajax edit links - the ajax call returns the login page which is put into the div normally used for the edit form.
I want to find a way to redirect the whole page to the login form, when the authentication has timed out and an ajax link is clicked.
One way I can think of is looking at the html returned from the ajax call in the response callback and searching for the 'login' text or form field and doing a redirect from there - but this doesn't feel very clean - is there a better way?
This might help some:
Bypass Forms Authentication auto redirect to login, How to?
From the above answer it looks like http 403 isn't intercepted by Forms Authentication, so you can roll your own ActionFilter that returns an http 403 response if its an Ajax Request and Authorization failed.
On the client side, you could then check the response code for 403, and redirect to the appropriate login url.
There are probably other ways to do this as well!