Custom post-login redirection logic

[ccidral]

My app has a non-trivial authorization scheme, it's not super complex but it's not as simple as a one user, many roles scheme, instead I have organizations in addition to users and roles, so that a user might have roles in different organization. There are also different types of organization, which brings us to my problem: once the user authentication is performed successfully, I need to check which organization types the user belongs to, e.g. if some of the organizations the user belongs to is of type A, I need to redirect the user to /orgs/main, otherwise redirect it to /orgs/others. How can I accomplish that? I tried it with ContainerResponseFilter but it doesn't call filter() when the authentication form request is handled. I noticed filter() does get called for any other requests though.

By the way, my app is server-side rendered with Qute and I'm using this form to submit the user login request:

<form action="/j_security_check" method="post">
    <input type="hidden" name="{inject:csrf.parameterName}" value="{inject:csrf.token}"
    <label>Username</label>
    <input type="text" placeholder="Username" name="j_username" required>
    <label>Password</label>
    <input type="password" placeholder="Password" name="j_password" required>
    <button type="submit">Login</button>
</form>

application.properties:

# authentication
quarkus.http.auth.form.enabled=true
quarkus.http.auth.form.login-page=/login

# jdbc security
quarkus.security.jdbc.enabled=true
quarkus.security.jdbc.principal-query.sql=select u.password, rt.code as role from user_account u join user_role ur on u.id = ur.user_account_id join role_type rt on ur.role_type_id = rt.id where u.email = ?
quarkus.security.jdbc.principal-query.bcrypt-password-mapper.enabled=true 
quarkus.security.jdbc.principal-query.bcrypt-password-mapper.password-index=1
quarkus.security.jdbc.principal-query.attribute-mappings.0.index=2 
quarkus.security.jdbc.principal-query.attribute-mappings.0.to=groups

My ContainerResponseFilter:

@Provider
@Priority(1000)
public class CustomAuthenticationFilter implements ContainerResponseFilter {
    @Inject
    SecurityIdentity securityIdentity;

    @Override
    public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext) {
        System.out.println(">>> CustomAuthenticationFilter.filter");
        if (requestContext.getUriInfo().getPath().equals("j_security_check")) {
            for (var role : securityIdentity.getRoles()) {
                System.out.println("Role: " + role);
            }
        }
    }
}

[sberyozkin]

Can running it in the @PreMatching phase work ?

[ccidral]

throw new AuthenticationRedirectException(location) instead of ending the response directly there, @ccidral, if you'd like, try to experiment with it

Thanks @sberyozkin I'll give it a try.

By the way, is ContainerResponseFilter the only (or best) way to customize form-based authentication post-login redirection?

[sberyozkin]

@ccidral I'm not sure it can work at all for intercepting Quarkus security responses, though @michalvavrik may think differently. If the suggested plan above works then you'd use ExceptionMapper<AuthenticationRedirectException> to modify the response

[michalvavrik]

Sorry that I am late to the party. So IIUC you want to redirect on auth success based on the SecurityIdentity roles? You literally need redirect. In that case I'd suggest that you need a custom redirect, so:

quarkus.http.auth.form.landing-page=

and that CustomAuthenticationFilter filter of ours should be enough, no matter whether it is proactive auth or not.

However, my preferred solution would be:

public class MyBean {
void init(@Observes Router router) {
        // you might need to tweak priority, go to the left (lesser values)
        router.route().order(-99).handler(routingContext -> {
            if (routingContext.user() != null && routingContext.user() instanceof QuarkusHttpUser quarkusUser) {
                if (quarkusUser.getSecurityIdentity().hasRole("to-redirect")) {
                    routingContext.redirect("my-url");
                } else {
                    routingContext.next();
                }
            } else {
                routingContext.next();
            }
        });
    }
}

However, you have several options. For example you can do this https://quarkus.io/guides/security-customization#httpauthenticationmechanism-customization for the io.quarkus.vertx.http.runtime.security.FormAuthenticationMechanism. You can do this:

@Alternative
@Priority(1)
@ApplicationScoped
public class CustomAuthenticationMechanism implements HttpAuthenticationMechanism{

    @Inject
    FormAuthenticationMechanism formAuthenticationMechanism;

    @Override
    public Uni<SecurityIdentity> authenticate(RoutingContext context, IdentityProviderManager identityProviderManager) {
        return formAuthenticationMechanism.authenticate(context, identityProviderManager)
                .flatMap(identity -> {
                    if (identity.hasRole("to-redirect")) {
                        return redirect(context);
                    }
                    return Uni.createFrom().item(identity);
                });
    }
    
    private Uni<SecurityIdentity> redirect(RoutingContext exchange) {
        return Uni.createFrom().emitter(uniEmitter -> exchange
                .request()
                .endHandler(event -> exchange.redirect("my-url")
                        .onComplete(voidAsyncResult -> {
                            uniEmitter.complete(null);

                            // not sure when the next line should be put, 
                            // maybe put it before the redirect or experiment
                            exchange.request().resume();
                        })));
    }

I didn't try any of them, I suggest that you try it out and report back. We will figure it out together. Maybe provide a reproducer.

[ccidral]

@michalvavrik Thank you for the suggestions, I appreciate that. I'm leaning towards a simpler solution like this:

# application.properties

quarkus.http.auth.form.landing-page=/landing

@Path("/landing")
public class LandingController {
    @Inject
    SecurityIdentity securityIdentity;

    @GET
    @Path("/")
    @Authenticated
    public Response land() {
        if (securityIdentity.getRoles().contains("system.manager")) {
            return Response.seeOther(URI.create("/admin")).build();
        }

        return Response.seeOther(URI.create("/")).build();
    }
}

With the caveat that it has an extra redirection step but I can live with that for the moment.

[michalvavrik]

Sure, I think that's alright.