handle successful login event with spring security

Question

My Grails app uses the Spring Security plugin. Whenever a user successfully logs in I want to:

• store something in the session
• redirect them to a custom page (depending on their role)

I need to handle logout events similarly, which was pretty straightforward because the plugin provides a bean named logoutSuccessHandler that can be overriden. I was hoping to similarly find a bean named loginSuccessHandler, but no such luck.

I read the page in the plugin's docs about event handling, but neither of the event handling mechanisms appears to give me access to the current request or session.

Answer 1

If you want to do some stuff upon successful login. You can listen to InteractiveAuthenticationSuccessEvent

class AuthenticationSuccessEventListener implements    
                       ApplicationListener<InteractiveAuthenticationSuccessEvent> {


    @Override
    public void onApplicationEvent(InteractiveAuthenticationSuccessEvent event) {
         .......do some stuff here
    }
   }

And then register AuthenticationSuccessEventListener as a spring bean in resources.groovy You can do whatever you want here, however you wont be able to do redirect from listener.

Here's another similar question

Answer 2

Add a config parameter:

grails.plugins.springsecurity.successHandler.defaultTargetUrl = '/myLogin/handleSuccessLogin'

Then add your custom login-handling in the action that handles this URL

class MyLoginController {

  def springSecurityService

  def handleSuccessLogin() {
    session.foo = 'bar'

    if (springSecurityService.currentUser.username == 'bob') {
      redirect action: 'bobLogin'
    } else {
      redirect action: 'defaultLogin'
    }         
  }  

  def bobLogin() {
    // bob's login handler
  }

  def defaultLogin() {
    // default login handler
  }
}

Answer 3

I recently used this in a project for logging in. Its kind of a hack but works for me. I'm using version 1.2.7.3 of the plugin.

def auth() {        

    def config = SpringSecurityUtils.securityConfig

    if (springSecurityService.isLoggedIn()) {
        def user = User.get(principal.id)

        def roles = user.getAuthorities()

        def admin_role = Role.findByAuthority("ROLE_ADMIN")

        //this user is not admin
        if(!roles.contains(admin_role)){
            //perform redirect to appropriate page
        }
        redirect uri: config.successHandler.defaultTargetUrl
        //log.info(getPrincipal().username + "logged in at :"+new Date())
        return
    }

    String view = 'auth'
    String postUrl = "${request.contextPath}${config.apf.filterProcessesUrl}"
    render view: view, model: [postUrl: postUrl,
                               rememberMeParameter: config.rememberMe.parameter]
}

For logging out I used a Logout controller, performed some action before redirecting to the logout handler:

class LogoutController {

     /**
     * Index action. Redirects to the Spring security logout uri.
     */
     def index = {
         // perform some action here
         redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl 
     }
}