Spring Security – Redirect to the Previous URL After Login – Spring Security – 登录后重定向到以前的URL

最后修改: 2017年 3月 1日

1. Overview


This article will focus on how to redirect a user back to the originally requested URL – after they log in.


Previously, we’ve seen how to redirect to different pages after login with Spring Security for different types of users and covered various types of redirections with Spring MVC.

之前,我们已经看到了如何用Spring Security为不同类型的用户在登录后重定向到不同的页面,并涵盖了各种类型的Spring MVC重定向。

The article is based on top of the Spring Security Login tutorial.


2. Common Practice


The most common ways to implement redirection logic after login are:


  • using HTTP Referer header
  • saving the original request in the session
  • appending original URL to the redirected login URL

Using the HTTP Referer header is a straightforward way, for most browsers and HTTP clients set Referer automatically. However, as Referer is forgeable and relies on client implementation, using HTTP Referer header to implement redirection is generally not suggested.

使用HTTP Referer是一个直接的方法,因为大多数浏览器和HTTP客户端会自动设置Refer。然而,由于Referer是可伪造的,并且依赖于客户端的实现,所以一般不建议使用HTTP Referer头来实现重定向。

Saving the original request in the session is a safe and robust way to implement this kind of redirect. Besides the original URL, we can store original request attributes and any custom properties in the session.


And appending original URL to the redirected login URL is usually seen in SSO implementations. When authenticated via an SSO service, users will be redirected to the originally requested page, with the URL appended. We must ensure the appended URL is properly encoded.


Another similar implementation is to put the original request URL in a hidden field inside the login form. But this is no better than using HTTP Referer

另一个类似的实现是把原始请求的URL放在登录表的一个隐藏字段中。但这并不比使用HTTP Referer更好。

In Spring Security, the first two approaches are natively supported.

在Spring Security中,前两种方法得到了原生支持。

It must be noted that for newer versions of Spring Boot, by default, Spring Security is able to redirect after login to the secured resource we tried to access. If we need to always redirect to a specific URL, we can force that through a specific HttpSecurity configuration.

必须注意的是,对于较新版本的Spring Boot,默认情况下,Spring Security能够在登录后重定向到我们试图访问的安全资源。如果我们需要总是重定向到一个特定的URL,我们可以通过一个特定的HttpSecurity配置来强制实现。

3. AuthenticationSuccessHandler


In form-based authentication, redirection happens right after login, which is handled in an AuthenticationSuccessHandler instance in Spring Security.

在基于表单的认证中,重定向在登录后立即发生,这在Spring SecurityAuthenticationSuccessHandler实例中处理。

Three default implementations are provided: SimpleUrlAuthenticationSuccessHandler, SavedRequestAwareAuthenticationSuccessHandler and ForwardAuthenticationSuccessHandler. We’ll focus on the first two implementations.


3.1. SavedRequestAwareAuthenticationSuccessHandler

3.1. SavedRequestAwareAuthenticationSuccessHandler

SavedRequestAwareAuthenticationSuccessHandler makes use of the saved request stored in the session. After a successful login, users will be redirected to the URL saved in the original request.


For form login, SavedRequestAwareAuthenticationSuccessHandler is used as the default AuthenticationSuccessHandler.


public class RedirectionSecurityConfig {


    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        return http.build();

And the equivalent XML would be:


    <intercept-url pattern="/login" access="permitAll"/>
    <intercept-url pattern="/**" access="isAuthenticated()"/>
    <form-login />

Suppose we have a secured resource at location “/secured”. For the first time access to the resource, we’ll be redirected to the login page; after filling in credentials and posting the login form, we’ll be redirected back to our originally requested resource location:

假设我们有一个位于”/secured “位置的安全资源。在第一次访问该资源时,我们会被重定向到登录页面;在填写凭证和发布登录表格后,我们会被重定向到我们最初请求的资源位置。

public void givenAccessSecuredResource_whenAuthenticated_thenRedirectedBack() 
  throws Exception {
    MockHttpServletRequestBuilder securedResourceAccess = get("/secured");
    MvcResult unauthenticatedResult = mvc

    MockHttpSession session = (MockHttpSession) unauthenticatedResult
    String loginUrl = unauthenticatedResult
        .param("username", userDetails.getUsername())
        .param("password", userDetails.getPassword())


3.2. SimpleUrlAuthenticationSuccessHandler


Compared to the SavedRequestAwareAuthenticationSuccessHandler, SimpleUrlAuthenticationSuccessHandler gives us more options on redirection decisions.


We can enable Referer-based redirection by setUserReferer(true):


public class RefererRedirectionAuthenticationSuccessHandler 
  extends SimpleUrlAuthenticationSuccessHandler
  implements AuthenticationSuccessHandler {

    public RefererRedirectionAuthenticationSuccessHandler() {


Then use it as the AuthenticationSuccessHandler in RedirectionSecurityConfig:


public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
      .successHandler(new RefererAuthenticationSuccessHandler());
    return http.build(); 

And for XML configuration:


    <intercept-url pattern="/login" access="permitAll"/>
    <intercept-url pattern="/**" access="isAuthenticated()"/>
    <form-login authentication-success-handler-ref="refererHandler" />


3.3. Under the Hood


There is no magic in these easy to use features in Spring Security. When a secured resource is being requested, the request will be filtered by a chain of various filters. Authentication principals and permissions will be checked. If the request session is not authenticated yet, AuthenticationException will be thrown.

Spring Security中,这些易于使用的功能并没有什么魔力。当一个安全资源被请求时,该请求将被一连串的各种过滤器过滤。将检查认证原则和权限。如果请求会话尚未被认证,AuthenticationException将被抛出。

The AuthenticationException will be caught in the ExceptionTranslationFilter, in which an authentication process will be commenced, resulting in a redirection to the login page.

AuthenticationException 将在ExceptionTranslationFilter中捕获,其中将开始一个认证过程,导致重定向到登录页面。

public class ExceptionTranslationFilter extends GenericFilterBean {


    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
      throws IOException, ServletException {

        handleSpringSecurityException(request, response, chain, ase);


    private void handleSpringSecurityException(HttpServletRequest request,
      HttpServletResponse response, FilterChain chain, RuntimeException exception)
      throws IOException, ServletException {

        if (exception instanceof AuthenticationException) {

            sendStartAuthentication(request, response, chain,
              (AuthenticationException) exception);



    protected void sendStartAuthentication(HttpServletRequest request,
      HttpServletResponse response, FilterChain chain,
      AuthenticationException reason) throws ServletException, IOException {
       requestCache.saveRequest(request, response);
       authenticationEntryPoint.commence(request, response, reason);



After login, we can customize behaviors in an AuthenticationSuccessHandler, as shown above.


4. Conclusion


In this Spring Security example, we discussed common practice for redirection after login and explained implementations using Spring Security.

在这个Spring Security例子中,我们讨论了登录后重定向的常见做法,并解释了使用Spring Security的实现。

Note that all the implementations we mentioned are vulnerable to certain attacks if no validation or extra method controls are applied. Users might be redirected to a malicious site by such attacks.


The OWASP has provided a cheat sheet to help us handle unvalidated redirects and forwards. This would do a lot of help if we need to build implementations on our own.

OWASP提供了一个cheat sheet来帮助我们处理未经验证的重定向和转发。如果我们需要自己建立实现,这将做很大的帮助。

The full implementation code of this article can be found over on Github.