views:

384

answers:

1

I've got a basic Spring Security 3 set up using my own login page. My configuration is below. I have the login and sign up page accessible to all as well as most everything else. I'm new to Spring Security and understand that if a user is trying to access a protected resource they will be taken to the defined login page. And upon successful login they are taken to some other page, home in my case. I want to keep the latter behavior; however, I'd like specify that if a user tries to access certain resources they are taken to the sign up page, not the login page. Currently, in my annotated controllers I check the security context to see if the user is logged in and if not I redirect them to the sign up page. I only do this currently with two urls and no others. This seemed redundant so I tried creating a HandlerInterceptor to redirect for these requests but realized that with annotations, you can't specify specific requests to be handled - they all are. So I'm wondering if there is some way to implement this type of specific url handling in Spring Security, or is going the HandlerInterceptor route my only option? Thanks!

<http auto-config="true" use-expressions="true">
    <intercept-url pattern="/login*" access="permitAll"/> 
    <intercept-url pattern="/signup*" access="permitAll"/>
    <intercept-url pattern="/static/**" filters="none" />
    <intercept-url pattern="/" access="permitAll"/>
    <form-login login-page="/login" default-target-url="/home"/> 

    <logout logout-success-url="/home"/>

    <anonymous/>        
    <remember-me/>             
</http>
A: 

Check out this link Adding Custom Filters - my guess is you will need to extend the UsernamePasswordAuthenticationFilter with your own version that does the logic you've outlined above, rather then using the autoconfig and the <form-login> element.

Gandalf

related questions