Using Spring security and custom login form

Roman

unread,

Feb 21, 2018, 11:57:16 AM2/21/18

to Hippo Community

Hi

I just started to use spring security and defining my own login form (e.g. login.jsp). That works all fine however there is one issue I am not sure how this is intended to work.

For all authorization access I define per spring security proper showing of custom login screen works of course.

However if I define e.g. a sitemap item to be authenticated and setting allowed roles that also works as long as the user is already authenticated from before. But if with accessing this item authentication is required hippo redirects to the out of the box login form and of course thats useless. So can I somewhere redefine this login url and so I can define there my custom login url (that could also be e.g. an SSO login location.

Thanks

Roman

Woonsan Ko

unread,

Feb 21, 2018, 3:43:44 PM2/21/18

to hippo-c...@googlegroups.com

@hst:formloginpage on a mount node [1].

Are you using HST Spring Security Integration module [2] by the way?

The default JAAS login form url and http error pages are also configured in web.xml:

<login-config>

<auth-method>FORM</auth-method>

<realm-name>HSTSITE</realm-name>

<form-login-config>

<form-login-page>/login/login</form-login-page>

<form-error-page>/login/error</form-error-page>

</form-login-config>

</login-config>

Regards,

Woonsan

[1] https://www.onehippo.org/library/concepts/security/customize-delivery-tier-form-login-pages.html

[2] https://onehippo-forge.github.io/hst-spring-security/index.html

Thanks
Roman

--
Hippo Community Group: The place for all discussions and announcements about Hippo CMS (and HST, repository etc. etc.)

To post to this group, send email to hippo-community@googlegroups.com
RSS: https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
---
You received this message because you are subscribed to the Google Groups "Hippo Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hippo-community+unsubscribe@googlegroups.com.
Visit this group at https://groups.google.com/group/hippo-community.
For more options, visit https://groups.google.com/d/optout.

--

Woonsan Ko

woons...@bloomreach.com

US +1 877 414 4776 (toll free)

Europe +31(0)20 522 4466

Roman

unread,

Feb 22, 2018, 6:21:26 AM2/22/18

to Hippo Community

Hi

Thanks for the quick answer. Yes I am using [2].

I tried changing the mount formloginpage and that indeed does what I need. However I see some issues with redirection after successful authentication as when the authentication and redirection to custom login form is handled fully by spring security the redirection after login works as spring keeps the original request URI in the session.

However in the case that the login is enforces by HST now my custom login form is used, but of course afterwards spring does not know the original request URI and just redirects to the default URI.

Honestly I am not sure if in practice it will be a big use case to use spring security for securing and still use authentication rules on HST sitemap.....but still it would be good to know if its feasible (inclusive the correct redirect afterwards).

So would it be maybe possible to overwrite the functionality that actually initiates the login form redirect (and uses that formloginpage property on the mount)? As then we could maybe hookin and add the redirect URI as a request parameter - also for a SSO this works normally likes that.

Woonsan Ko

unread,

Feb 22, 2018, 9:43:16 AM2/22/18

to hippo-c...@googlegroups.com

On Thu, Feb 22, 2018 at 6:21 AM, Roman <mdac.co...@gmail.com> wrote:

Hi

Thanks for the quick answer. Yes I am using [2].

I tried changing the mount formloginpage and that indeed does what I need. However I see some issues with redirection after successful authentication as when the authentication and redirection to custom login form is handled fully by spring security the redirection after login works as spring keeps the original request URI in the session.
However in the case that the login is enforces by HST now my custom login form is used, but of course afterwards spring does not know the original request URI and just redirects to the default URI.

Regarding the redirection handling after Spring-Security driven login page, I guess you can find some insights from here:

- https://stackoverflow.com/questions/14573654/spring-security-redirect-to-previous-page-after-successful-login

Regards,

Woonsan

Honestly I am not sure if in practice it will be a big use case to use spring security for securing and still use authentication rules on HST sitemap.....but still it would be good to know if its feasible (inclusive the correct redirect afterwards).

So would it be maybe possible to overwrite the functionality that actually initiates the login form redirect (and uses that formloginpage property on the mount)? As then we could maybe hookin and add the redirect URI as a request parameter - also for a SSO this works normally likes that.

--
Hippo Community Group: The place for all discussions and announcements about Hippo CMS (and HST, repository etc. etc.)

To post to this group, send email to hippo-community@googlegroups.com
RSS: https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
---
You received this message because you are subscribed to the Google Groups "Hippo Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hippo-community+unsubscribe@googlegroups.com.
Visit this group at https://groups.google.com/group/hippo-community.
For more options, visit https://groups.google.com/d/optout.

Reply all

Reply to author

Forward