Spring Security: Prevent User from Going Back to Login Page if Already logged in
- Details
- Written by Nam Ha Minh
- Last Updated on 30 October 2020 | Print Email
In this short Spring Security post, I would like to share with you a simple way to prevent a user from going back to login page if he already logged in a web application based on Java Spring Boot.
A typical scenario is that a user has just logged in to the website and somehow he clicks the Back button in the browser unintentionally (or type the /login URL). Spring Security doesn’t handle this situation, so we need to write a little bit extra code, e.g. redirecting the logged-in user to the homepage in case he accidentally visits the login page again.
Suppose that you configure Spring Security to use a custom login page at the /login URL in the Spring security configuration class as below:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
...
.formLogin()
.loginPage("/login")
.permitAll()
...
}
}And to prevent the user from going back to the login page if he already logged in, you need to write a simple handler method for the /login URL in a Spring MVC controller as follows:
@Controller
public class AppController {
@GetMapping("/login")
public String showLoginForm(Model model) {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication == null || authentication instanceof AnonymousAuthenticationToken) {
return "login";
}
return "redirect:/";
}
}You see, in this handler method, we get an Authentication object that represents an authenticated user from Spring security context. If this object is null or is an instance of AnonymousAuthenticationToken, that means the user has not logged in, then it will return the login page. Otherwise it will return the homepage. Clear and simple, right?
To see the coding in action, you can watch the following video:
Related Spring Security Tutorials:
- Spring Security Authentication with JPA, Hibernate and MySQL
- Spring Security Role-based Authorization Tutorial
- Spring Security Customize Login and Logout
- How to Get Logged-in User's Details with Spring Security
- Spring Security Authentication Success Handler Examples
- Spring Security Authentication Failure Handler Examples
- Spring Security Logout Success Handler Example
- Spring Security Before Authentication Filter Examples
Other Spring Boot Tutorials:
- How to create a Spring Boot Web Application (Spring MVC with JSP/ThymeLeaf)
- Spring Boot CRUD Example with Spring MVC – Spring Data JPA – ThymeLeaf - Hibernate - MySQL
- Spring Boot Hello World RESTful Web Services Tutorial
- Spring Boot Thymeleaf Form Handling Tutorial
- Spring Data JPA Paging and Sorting Examples
- Spring Boot Error Handling Guide
- Spring Boot Logging Basics
About the Author:
Nam Ha Minh is certified Java programmer (SCJP and SCWCD). He began programming with Java back in the days of Java 1.4 and has been passionate about it ever since. You can connect with him on Facebook and watch his Java videos on YouTube.
Comments
Spring Security is supposed to handle that, but it doesn't actually when customizing the login page