Redirection error on re-login
paodb opened this issue · 9 comments
After backport requested in this ticket vaadin/flow#14178 for Vaadin 22, a redirection error on re-login is happening:
The problem concerns users logging in and out of the application and the redirection to /ui (vaadin version 22.0.24). Login into de application the first time, works okay. After logging out, the login view appears again and when user logs in back in a whitelabel error page occurs. After hitting the 'back' button in the browser, the page loads correctly.
The situation seems to be the following:
Spring security tracks a "saved request", so that if you attempt to navigate to http://127.0.0.1:8080/ui/about by typing that URL to the browser, you are redirected to the About view after login.
The first time that you log in, there is no saved request, so it redirects to the defaultTargetUrl (which is correctly set as /ui/).
After you log out, the saved request is set to / thus after login you are redirected to / (instead of /ui).
The same issue can be reproduced in Vaadin 23. See my-app.zip
The logout URL is set to / so when you log out, you visit / and are redirected there after log in
Good catch. I had failed to connect the dots:
After you log out, the saved request is set to / thus after login you are redirected to / (instead of /ui).
In addition to configuring LOGOUT_URL as /ui, I found useful to add a small redirect servlet, so that when the user requests / while they are logged in, they are redirected to /ui (that also kicks in when the user lands at / before logging in)
public class RedirectServlet extends HttpServlet {
@Override
protected void service(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
resp.sendRedirect("/ui/");
}
}
In the Application class:
@Bean
public ServletRegistrationBean<?> redirectServlet(){
return new ServletRegistrationBean<>(new RedirectServlet(),"/");
}
Is there something to be fixed here?
In addition to configuring LOGOUT_URL as
/ui, I found useful to add a small redirect servlet, so that when the user requests/while they are logged in, they are redirected to/ui(that also kicks in when the user lands at/before logging in)
The Servlet approach doesn't seem to be the best one, as it overrides the default servlet. A better approach seems to be to implement a Filter.
public class RedirectionFilter implements Filter {
@Override
public void doFilter(
ServletRequest request,
ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
if (req.getRequestURI().equals("/")) {
resp.sendRedirect("/ui/");
} else
chain.doFilter(request, response);
}
}And in the Application class:
@Bean
public FilterRegistrationBean<RedirectionFilter> loggingFilter() {
FilterRegistrationBean<RedirectionFilter> registrationBean = new FilterRegistrationBean<>();
registrationBean.setFilter(new RedirectionFilter());
registrationBean.addUrlPatterns("/");
return registrationBean;
}Is there something to be fixed here?
I did a little bit more testing and the missing LOGOUT_URL configuration and the filter approach I just mentioned in my previous comment, seem to be the solution. I'm waiting on confirmation from the customer who reported this.
@paodb did you get confirmation about this issue from the customer?
Hi @mcollovati. It seems that this issue is still happening, but we're waiting for more information, please give us some more time and we will let you know.
Closing the ticket as I've got confirmation that the issue is solved with the filter approach implementation.