Spring Boot Security Redirect After Login

By Dhiraj Ray, 18 December,2016  

Sometimes its required to redirect user to different pages post login based on the role of the user.For example if an user has an USER role then we want him to be redirected to /user and similarly to /admin for users having ADMIN role.In this post, we will be discussing about how to redirect user to different pages post login based on the role of the user.We will be implementing AuthenticationSuccessHandler of spring boot security to implement our custom way of redirecting user to different pages after successful login. As usual you can download the complete source code of the project at the end of the article.

Environment Setup

1. JDK 8 2. Spring Boot 3. Intellij Idea/ eclipse 4. Maven

Maven Dependencies

There is no any extra maven dependency is required for this case that we used in our previous post of Spring Boot Security Login Example.Hence let us ignore it for while.

Server Side

Now let us define our main configuration for spring security - SpringSecurityConfig.java.class is annotated with @EnableWebSecurity to enable Spring Security web security support.Here we have injected our SimpleAuthenticationSuccessHandler class which will be executed once user is successfully authenticated. In the mean time, we have also made configuration to secure our authentication process with CSRF attack.

SpringSecurityConfig.java
package com.developerstack.config; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; @Configuration @EnableWebSecurity public class SpringSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private SimpleAuthenticationSuccessHandler successHandler; @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().requireCsrfProtectionMatcher(new AntPathRequestMatcher("**/login")).and().authorizeRequests() .antMatchers("/user").hasRole("USER") .antMatchers("/admin").hasRole("ADMIN") .and().formLogin().successHandler(/successHandler) .loginPage("/login").and().logout().permitAll(); } @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); auth.inMemoryAuthentication().withUser("admin").password("password").roles("ADMIN"); } }

Defining Authentication Success handler

Now let us define our AuthenticationSuccessHandler which will determine the roles assigned to the user and accordingly redirect user different urls. Implementations can do whatever they want but typical behaviour would be to control the navigation to the subsequent destination (using a redirect or a forward).

SimpleAuthenticationSuccessHandler.java
package com.developerstack.config; import java.io.IOException; import java.util.Collection; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.springframework.security.core.Authentication; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.web.DefaultRedirectStrategy; import org.springframework.security.web.RedirectStrategy; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.stereotype.Component; @Component public class SimpleAuthenticationSuccessHandler implements AuthenticationSuccessHandler { private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy(); @Override public void onAuthenticationSuccess(HttpServletRequest arg0, HttpServletResponse arg1, Authentication authentication) throws IOException, ServletException { Collectionextends GrantedAuthority> authorities = authentication.getAuthorities(); authorities.forEach(authority -> { if(authority.getAuthority().equals("ROLE_USER")) { try { redirectStrategy.sendRedirect(arg0, arg1, "/user"); } catch (Exception e) { // TODO Auto-generated catch block e.printStackTrace(); } } else if(authority.getAuthority().equals("ROLE_ADMIN")) { try { redirectStrategy.sendRedirect(arg0, arg1, "/admin"); } catch (Exception e) { // TODO Auto-generated catch block e.printStackTrace(); } } else { throw new IllegalStateException(); } }); } }

Here is the controller mapping for different Http request for /user and /admin.

DashboardController.java
package com.developerstack.controller; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.servlet.ModelAndView; @Controller public class DashboardController { @RequestMapping(value = "/admin", method = RequestMethod.GET) public ModelAndView admin() { ModelAndView model = new ModelAndView(); model.setViewName("admin"); return model; } @RequestMapping(value = "/user", method = RequestMethod.GET) public ModelAndView user() { ModelAndView model = new ModelAndView(); model.setViewName("user"); return model; } }

Run Application

1. Run Application.java as a java application.

2. Hit the url as http://localhost:8080/login and following page will be served by the server.

spring-boot-security-login

3. Enter username/password as user/password and user will be redirected to http://localhost:8080/user

4. Again if we enter the username/password as admin/password, user will be redirected to http://localhost:8080/admin

Conclusion

I hope this article served you that you were looking for. If you have anything that you want to add or share then please share it below in the comment section.

Download the source

References: Spring Security Docs Spring Security References

Suggest more topics in suggestion section or write your own article and share with your colleagues.

Is this page helpful to you? Please give us your feedback below. We would love to hear your thoughts on these articles, it will help us improve further our learning process.

Further Reading: