根据Spring Security 3.1中的角色确定目标URL [英] determine target url based on roles in spring security 3.1

问题描述

在Spring Security 3.0中，我们有一个AuthenticationProcessingFilter类，其中使用了determineTargetUrl()方法，该方法根据不同的角色返回了url.

In spring security 3.0, we are having AuthenticationProcessingFilter class, in which we were using determineTargetUrl() method, which returned the url based on different roles.

现在，我们正在转向Spring Security 3.1.0.RC3，由于新版本中删除了AuthenticationProcessingFilter类，因此我现在应该如何确定基于不同角色的url.任何人都可以通过一些代码简要地介绍我的步骤，以便我可以实现自定义过滤器，以重定向到具有不同角色的不同页面.

Now, we are moving to spring security 3.1.0.RC3 and I am stuck how should I now determine the url based on different roles as AuthenticationProcessingFilter class has been removed from new version. Can anyone please give me steps in brief with some code so that I can implement custom filter to redirect to different pages for different roles.

推荐答案

根据角色确定目标URL的最佳方法是在Spring Security配置中指定目标URL，如下所示.这将在Spring 3.0或3.1中起作用

The best way to determine the target url based upon roles is to specify a target url in your Spring Security configuration as shown below. This will work in Spring 3.0 or 3.1

<http>
    ... 
    <form-login login-page="/login" default-target-url="/default"/>
</http>

然后创建一个处理default-target-url的控制器.控制器应根据侧滚来重定向或转发.以下是使用Spring MVC的示例，但是任何类型的控制器都可以使用(例如Struts，Servlet等).

Then create a controller that processes the default-target-url. The controller should redirect or forward based upon rolls. Below is an example of using Spring MVC, but any type of controller will work (i.e. Struts, a Servlet, etc).

@Controller
public class DefaultController {
    @RequestMapping("/default")
    public String defaultAfterLogin(HttpServletRequest request) {
        if (request.isUserInRole("ROLE_ADMIN")) {
            return "redirect:/users/sessions";
        }
        return "redirect:/messages/inbox";
    }
}

此方法的优点是它不与任何特定的Security实现耦合，不与任何特定的MVC实现耦合，并且可以与Spring Security命名空间配置一起轻松使用.完整的示例可以在我今年在SpringOne上提出的 SecureMail 项目中找到.

The advantages to this approach are it is not coupled to any specific implementation of Security, it is not coupled to any specific MVC implementation, and it works easily with Spring Security namespace configuration. A full example can be found in the SecureMail project I presented at SpringOne this year.

另一种选择是，您可以创建自定义

An alternative is that you could create a custom AuthenticationSuccessHandler. The implementation might extend SavedRequestAwareAuthenticationSuccessHandler which is the default AuthenticationSuccessHandler. it could then be wired using the namespace as shown below.

<sec:http>
    <sec:form-login authentication-success-handler-ref="authSuccessHandler"/>
</sec:http>
<bean:bean class="example.MyCustomAuthenticationSuccessHandler"/>

我不建议您这样做，因为它与Spring Security API有关，最好在可能的情况下避免这种情况.

I would not recommend doing this as it is tied to Spring Security API's and it is better to avoid that when possible.

这篇关于根据Spring Security 3.1中的角色确定目标URL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！