Spring Boot Spring Security Change dst after login

Posted by On 6月 23, 2017 0 Comment

Success Handler

We can change dst after login using Spring Security.
In this case, we need to extend SavedRequestAwareAuthenticationSuccessHandler.
We can get role and decide which role where goes

Example

@Component
public class AuthSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {

    @Override
    protected String determineTargetUrl(HttpServletRequest request, HttpServletResponse response) {
       Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        String role = auth.getAuthorities().toString();

        String targetUrl = "/";
        if (role != null) {
            if (role.contains("ADMIN")) {
                targetUrl = "/admin";
            }
            else if (role.contains("USER")) {
                targetUrl = "/user/index";
            }
            else {
                // Others
                targetUrl = "/";
            }
        }
        return targetUrl;
    }
}

Point : Get role from context and check Role and handle destination.
ADMIN goes to /admin, USER goes to /user/index.

How to set role? This is next step. We can set role from configuration.

Set and Test

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private AuthSuccessHandler authSuccessHandler;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .authorizeRequests()
                .antMatchers("/css/**", "/index").permitAll()
                .antMatchers("/api/**").permitAll()
                .antMatchers("/admin/**").hasAuthority("ADMIN")
                .antMatchers("/user/**").hasAnyRole(new String[]{"USER", "ADMIN"})
                .and()
                .formLogin()
                .successHandler(authSuccessHandler);
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                .withUser("user").password("password").roles("USER")
                .and()
                    .withUser("admin").password("admin").authorities(new String[]{"ADMIN"})
                .and()
                    .withUser("buruburu").password("buruburu").roles("BLUE");
    }
}

Disable csrf for Test.
/admin, Only users who have ADMIN authority can access.
/user, Only users who are USER or ADMIN role can access.
Those users authority are required to login.

Auth configure part, I prepared 3 users, USER role “user”, ADMIN auth “admin”, and general user “buruburu”

Test

Access login localhost:8080/login, this is default login page.
If you can sign in as user or admin, you can access under /user, /admin.
For details

User Access point
user /api, /user
admin /api, /user, /admin
buruburu /api

TOPICS