Package com.alpaca.security.oauth2

Class AuthSuccessHandler

java.lang.Object
org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler
org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler
com.alpaca.security.oauth2.AuthSuccessHandler
All Implemented Interfaces:
org.springframework.security.web.authentication.AuthenticationSuccessHandler
@Component public class AuthSuccessHandler extends org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler
Authentication success handler for OAuth2 login flows.

Upon successful authentication, this handler issues a JWT access token and redirects the user's browser to a previously stored or default redirect URI. It ensures that only authorized redirect URIs are used to prevent open redirect vulnerabilities.

It also cleans up the related cookies used during the OAuth flow (authorization request and redirect URI cookies) via CookieAuthReqRepo.

See Also:

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    private final Set<URI>
    authorizedRedirectUris
     
    private final JJwtManager
    jwtManager
     
    private final CookieAuthReqRepo
    repository
     

    Fields inherited from class org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler

    logger

  • Constructor Summary

    Constructors
    Constructor
    Description
    AuthSuccessHandler(JJwtManager jwtManager, CookieAuthReqRepo repository, List<URI> redirectUris)
    Constructs the handler with required dependencies and a list of authorized redirect URIs.

  • Method Summary

    Modifier and Type
    Method
    Description
    protected void
    clearAuthenticationAttributes(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
    Clears authentication-related cookies and attributes post-login.
    protected String
    determineTargetUrl(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication auth)
     
    private boolean
    isAuthorizedRedirectURI(URI clientUri)
    Validates whether the given redirect URI is among the authorized list.
    void
    onAuthenticationSuccess(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication authentication)
     

    Methods inherited from class org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler

    clearAuthenticationAttributes

    Methods inherited from class org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler

    determineTargetUrl, getDefaultTargetUrl, getRedirectStrategy, getTargetUrlParameter, handle, isAlwaysUseDefaultTargetUrl, setAlwaysUseDefaultTargetUrl, setDefaultTargetUrl, setRedirectStrategy, setTargetUrlParameter, setUseReferer

    Methods inherited from class java.lang.Object

    clone, equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    Methods inherited from interface org.springframework.security.web.authentication.AuthenticationSuccessHandler

    onAuthenticationSuccess

  • Field Details

    • jwtManager

      private final JJwtManager jwtManager

    • repository

      private final CookieAuthReqRepo repository

    • authorizedRedirectUris

      private final Set<URI> authorizedRedirectUris

  • Constructor Details

    • AuthSuccessHandler

      public AuthSuccessHandler(JJwtManager jwtManager, CookieAuthReqRepo repository, @Value("${app.oauth2AuthorizedRedirectURI}") @NonNull List<URI> redirectUris)
      Constructs the handler with required dependencies and a list of authorized redirect URIs.
      Parameters:
      jwtManager - JWT manager used to create tokens
      repository - cookie-based authorization request repository
      redirectUris - list of allowed redirect URIs (must not be null)

  • Method Details

    • onAuthenticationSuccess

      public void onAuthenticationSuccess(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication authentication) throws IOException
      Specified by:
      onAuthenticationSuccess in interface org.springframework.security.web.authentication.AuthenticationSuccessHandler
      Overrides:
      onAuthenticationSuccess in class org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler
      Throws:
      IOException

    • determineTargetUrl

      protected String determineTargetUrl(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication auth)
      Overrides:
      determineTargetUrl in class org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler

    • clearAuthenticationAttributes

      protected void clearAuthenticationAttributes(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
      Clears authentication-related cookies and attributes post-login.
      Parameters:
      request - the current HTTP request
      response - the current HTTP response

    • isAuthorizedRedirectURI

      private boolean isAuthorizedRedirectURI(URI clientUri)
      Validates whether the given redirect URI is among the authorized list. Only the host is matched to allow flexibility in paths.
      Parameters:
      clientUri - the URI requested for redirection
      Returns:
      true if the host matches any authorized redirect URI; false otherwise