Spring security redirects to last requested page after login session timeout

I have implemented spring security for login to my web portal. It works fine except for one issue. I have set session timeout to 5 min. Once timeout happpens and then user click any URL, it gets redirected to logout page.
But when user re autheticates, user directly lands on the last access page instead of home page which is default target URL.

Spring security file is as below:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans  

        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <http auto-config="true">
        <intercept-url pattern="/index.jsp" access="ROLE_ADMIN,ROLE_USER" /> 
        <intercept-url pattern="/home.html" access="ROLE_ADMIN,ROLE_USER" />
        <intercept-url pattern="/mdm/accessToken.html" access="ROLE_USER" />
        <intercept-url pattern="/mdm/enroll.html" access="ROLE_USER" />
        <intercept-url pattern="/mdm/installApp.html" access="ROLE_USER" />
        <intercept-url pattern="/mdm/checkStatus.html" access="ROLE_USER" />
        <intercept-url pattern="/mdm/searchDevice.html" access="ROLE_USER" />     
        <intercept-url pattern="/admin/*" access="ROLE_ADMIN" />
        <intercept-url pattern="/account/*" access="ROLE_ADMIN" />
        <intercept-url pattern="/user/*" access="ROLE_USER" />      

        <form-login login-page="/login.html" default-target-url="/home.html"
                    authentication-failure-url="/loginfailed.html" />
        <logout logout-url="/logout.html" logout-success-url="/logoutSuccess.html" invalidate-session="true" />
        <anonymous username="guest" granted-authority="ROLE_GUEST" />
        <session-management>
            <concurrency-control max-sessions="1"  />
        </session-management>
        <session-management invalid-session-url="/logout.html" />
    </http>

    <authentication-manager>
        <authentication-provider>
            <jdbc-user-service data-source-ref="dataSource"
                users-by-username-query="select USER as username, password, 'true' as enabled from TBL_USER_MASTER where user=?"
                authorities-by-username-query="select um.USER as username , rm.ROLE_NAME as authorities from TBL_USER_MASTER um,TBL_ROLE_MASTER rm
            where um.USER=? and um.role_id=rm.role_id" />
            <password-encoder hash="md5"/>
        </authentication-provider>
    </authentication-manager>
</beans:beans>

Best Answer

Add the always-use-default-target attribute to your form-login tag.

<form-login always-use-default-target="true" />

If set to true, the user will always start at the value given by default-target-url, regardless of how they arrived at the login page. Maps to the alwaysUseDefaultTargetUrl property of UsernamePasswordAuthenticationFilter. Default value is false.

Best Answer

Related Solutions

Get original request url in Spring Security form-login page

Spring Security with Openid and Database Integration

Related Topic