I have a Grails application that uses the grails spring security 2.0.RC-5 plugin. Let's say I have 2 tabs open. On the 1st, once I logged out of the application. Then, on the 2nd one, I click a button that makes an AJAX call to the application.
Because I am logged out, the entry point will be LoginController.authAjax.
The default code generated by the plugin in this method is
response.setHeader 'Location', SpringSecurityUtils.securityConfig.auth.ajaxLoginFormUrl
response.sendError HttpServletResponse.SC_UNAUTHORIZED
I get the 401 on my ajax call and it's ok.
The problem comes that now if I go back on the login page and resubmit the login form I get redirected to the method LoginController.authAjax.
The code in this method is
render([success: true, username: springSecurityService.authentication.name] as JSON)
This, in turn, does not redirect me to the dashboard page in the application but renders
{"success":true,"username":"user1"}
Obviously, this is not the intended behaviour. How do I fix this? Thank You
This is the default behaviour of the Spring Security Core plugin that when you are logged out and try to access a protected URL, it stores that URL into the session and redirects back to you to the same URL after successful login so that user's don't have to manually go to original requested page.
If you want to permanently disable this behaviour, you can specify the following configuration into your Config.groovy:
grails.plugin.springsecurity.successHandler.alwaysUseDefault = true
See it in here http://grails-plugins.github.io/grails-spring-security-core/guide/urlProperties.html
But if you want to disable this conditionally, you can also do this by clearing that session variable as I mentioned above:
In your authAjax action:
def authAjax() {
if (request.xhr) { // For any AJAX request or any condition you want
session["SPRING_SECURITY_SAVED_REQUEST"] = null
}
}