Tuesday, May 7, 2013

Spring Security : Role based welcome page

As the title suggests, this blog is written taking into consideration the need to have different welcome page for users with different roles.

If I talk about a simple web-application with just a single welcome page for all roles I can simple do it with using the <welcome-file-list> in web.xml.


       profile.jsp


When it comes to simple web-application where our code controls the security of the application, we can do the same on the basis of roles and redirecting response to the appropriate page, using RequestDispatcher or if we are using MVC frameworks like Spring or Struts then we just need to pass the right view and rest framework takes care of by itself.

But since the main idea of writing this blog is to describe the mechanism of how to do the same with Spring-Security in place, not discuss MVC frameworks.

Spring Security provides, 
org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler,  the main idea of having this class is basically any post operations we want to perform once authentication is successful.


My sample spring-security http-config :



  
  
  
  
  
  
  
  
 


Now as you see, I have used authentication-success-handler-ref="authenticationSuccessRedirecthandler" inside the <form-login> tag in the security configuration. This is how I can wire the authentication handler into the security workflow.

public class CustomAuthenticationHandler extends SimpleUrlAuthenticationSuccessHandler {

 @Override
 public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws ServletException, IOException {
      String userTargetUrl = "/user/profile.jsp";
      String adminTargetUrl = "/admin/dashboard.jsp";
      Set roles = AuthorityUtils.authorityListToSet(authentication.getAuthorities());
      if (roles.contains("ROLE_ADMIN")) {
         getRedirectStrategy().sendRedirect(request, response, adminTargetUrl);
      } else if (roles.contains("ROLE_USER")) {
         getRedirectStrategy().sendRedirect(request, response, userTargetUrl);
      } else {
         super.onAuthenticationSuccess(request, response, authentication);
         return;
      }
   }
}

onAuthenticationSuccess is a callback method, which gets invoked once the user is successfully logged-into the application, to perform any post-operations.

Once the web-application is built and deployed on the server, as soon as we enter a URL to access the application. We will be shown the login screen to authenticate the user.

Say we have two users configured,

Username Password Role
sam sam ROLE_USER
admin admin ROLE_ADMIN

User logs in with sam:

Since sam is of type ROLE_USER, hence as per the method onAuthenticationSuccess of CustomAuthenticationHandler , the user will be redirected to /user/profile.jsp on successful login.



User logs in with admin:

Since admin is of type ROLE_ADMIN, hence as per the method onAuthenticationSuccess of CustomAuthenticationHandler , the user will be redirected to /admin/dashboard.jsp on successful login.

3 comments:

  1. Way to go. A good read. Looking forward to some more informative stuff on spring security.

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete