Spring JavaConfig form login with anchors

Question

My single-page web application uses anchors to represent state in the address bar of the browser, such as:

http://localhost:8080/webapp/index.html#/item/123

This makes this state bookmark-able. But users that aren't authenticated will be redirected to Spring Security's login form, then authenticated, then redirected to the original page as follows:

http://localhost:8080/webapp/index.html

That is not what I want, as it just lost the #anchor , and thus the bookmark.

I have not been able to find a solution, nor do I think I totally grasp the inner workings of Spring Security that contribute to this unwanted behavior.

I think following is the gist of my security configuration:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable()
    .authorizeRequests()
        .antMatchers(UNSECURED_RESOURCES).anonymous()
        .anyRequest().hasRole(KnownRole.USER.name())

    .and().formLogin()
        .loginPage("/backend/authentication/login.htm")
        .defaultSuccessUrl("/frontend/app/index.html")
        .permitAll()

    .and().logout()
        .logoutUrl("/logout")
        .logoutSuccessHandler(logoutSuccessHandler()).permitAll()

    .and().httpBasic()

    .and().addFilter(concurrentSessionFilter())
        .addFilter(usernamePasswordAuthenticationFilter())
        .sessionManagement().sessionAuthenticationStrategy(sessionAuthenticationStrategy());

Spring 4.0.4.RELEASE, Spring Security 3.2.3-RELEASE.

Your help much appreciated.

Answer 1

I've chosen to implement this using the following example code . It took me a while to understand that the anchors apparently are a client-side concern. I had seen this solution before I asked the question here, but at the time I didn't want to buy into that this needed to be dealt with client-side, with some Javascript. The solution works well, pretty much verbatim as shown on the above link (although I've slightly rewritten it to my own likings).