spring security stay on single url at login

here is my case.

when first t开发者_StackOverflow中文版ime user land to site, they will pointed to login page. (lest say http://ex.com/) and when they successfully login, they'll see the other page with the same url (http://ex.com/

but, when they open the site on other tab (http://ex.com) they will pointed back to login page.

how to implement this case in my site with spring security ?

its easy to do when deal with conventional servlet. i just need to have 2 method (doGet for showing login page, and doPost for authenticating user and if its valid it will call another view).

here is my configuration :

<security:http auto-config="true">        
    <security:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />                
    <security:form-login login-page="/login"
                         login-processing-url="/loginProcess" 
                         default-target-url="/login"
                         authentication-failure-url="/login?login_error=1" />
    <security:logout logout-url="/logout" logout-success-url="/logoutSuccess" />
</security:http>

** Edited (remove unrelated answer)

It appears you need to add a concurrent session management using Spring Security. See the following link: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/session-mgmt.html

You can inject the SessionRegistry and see if the principal is already logged-in. If he is, call the expireNow()

Or you can implement a filter on or before SessionManagementFilter in the FilterChainProxy:

The SessionManagementFilter checks the contents of the SecurityContextRepository against the current contents of the SecurityContextHolder to determine whether a user has been authenticated during the current request, typically by a non-interactive authentication mechanism, such as pre-authentication or remember-me [19]. If the repository contains a security context, the filter does nothing. If it doesn't, and the thread-local SecurityContext contains a (non-anonymous) Authentication object, the filter assumes they have been authenticated by a previous filter in the stack. It will then invoke the configured SessionAuthenticationStrategy. - http://static.springsource.org/spring-security/site/docs/3.1.x/reference/session-mgmt.html

I think your configuration has a problem

<security:http auto-config="true">        
    <security:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />                
    <security:form-login login-page="/login"
                         login-processing-url="/loginProcess" 
                         default-target-url="<home-page-url. ex: /home>"
                         authentication-failure-url="/login?login_error=1" />
    <security:logout logout-url="/logout" logout-success-url="/logoutSuccess" />
</security:http>

The default-target-url should point to the default page to which the application has to redirect after a successful login.

EDITED After going through the required posted again, I think the approach is to make the controller handling /login request to handle both cases

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
import org.springframework.stereotype.Controller;
import org.springframework.web.servlet.ModelAndView;

@Controller
public class AppsController {

    @RequestMapping("/login")
    public ModelAndView view(HttpServletRequest request,
            HttpServletResponse response) {

        Authentication authentication = SecurityContextHolder.getContext()
                .getAuthentication();
        User user = authentication != null
                && authentication.getPrincipal() instanceof User ? (User) authentication
                .getPrincipal() : null;

        return user == null ? getLoginModelAndView() : getHomeModelAndView();
    }

    private ModelAndView getHomeModelAndView() {
        return null;
    }

    private ModelAndView getLoginModelAndView() {
        return null;
    }

}

If there is no authenticated user present in the session the controller will return the log-in page, but once the user is logged-in then it will return a different page.

Spring security will cache the logged used to the user session and it can be retrieved using the SecurityContextHolder.