Add support for native htmx redirects in Spring Security

[lcnicolau]

Htmx provides a special way to send a redirect instruction to the client, keeping a success code (200) and sending a custom HTTP header from the server (HX-Location / HX-Redirect). Htmx correctly interprets these headers and follows the redirect, replacing the response in the page body.

You can take advantage of this behavior by integrating the HxLocationRedirectAuthenticationFailureHandler, HxLocationRedirectAuthenticationSuccessHandler, HxLocationRedirectLogoutSuccessHandler, HxLocationRedirectAuthenticationEntryPoint and/or HxLocationRedirectAccessDeniedHandler into the SecurityFilterChain bean definition.

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    // probably some other configurations here
    return http
            .formLogin(login -> login
                    .failureHandler(new HxLocationRedirectAuthenticationFailureHandler("/login?failure"))
                    .successHandler(new HxLocationRedirectAuthenticationSuccessHandler("/home?login"))
            ).logout(logout -> logout
                    .logoutSuccessHandler(new HxLocationRedirectLogoutSuccessHandler("/home?logout"))
            ).exceptionHandling(handler -> handler
                    .authenticationEntryPoint(new HxLocationRedirectAuthenticationEntryPoint("/login?unauthorized"))
                    .accessDeniedHandler(new HxLocationRedirectAccessDeniedHandler("/error?forbidden"))
            ).build();
}

For detailed information and a usage example, see:
https://github.com/lcnicolau/cs50-todo-list?tab=readme-ov-file#htmx-redirect-pattern

[wimdeblauwe]

Thank you for your contribution. I will look into more detail later, but what I am already missing is an update to the README to explain how to use the classes. I don't know if it would be possible to add some tests as well ?

[lcnicolau]

Hi @xhaggi
I made the requested changes and left a couple of comments in the revisions. Could you please take another look?

[wimdeblauwe]

@lcnicolau Could tests be added?

[lcnicolau]

Hi @wimdeblauwe
Added 100% test coverage for the security package, including the existing HxRefreshHeaderAuthenticationEntryPoint class.

[wimdeblauwe]

There is indeed 100% test coverage, but it is mocking everything. I would rather see @WebMvcTest based tests for these things. I believe that would provide more value.

[lcnicolau]

Thanks @wimdeblauwe
I added the new @WebMvcTest based tests. Should I remove the original mocked tests, or would you prefer to keep both?

[wimdeblauwe]

No, you can remove the mocked tests.

[lcnicolau]

No, you can remove the mocked tests.

@wimdeblauwe done.

[xhaggi]

@lcnicolau please squash all your commits into the first one.