记住我和身份验证成功处理程序 [英] remember-me and authentication-success-handler
问题描述
我有一个登录成功的奇怪问题,并重定向到页面.
i have strange issue of for login sucess and redirect to page.
下面是我的spring安全配置.
below is my spring security configuration.
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login.hst**" access="anonymous or authenticated" />
<intercept-url pattern="/**/*.hst" access="authenticated" />
<form-login login-page="/login.hst"
authentication-failure-url="/login.hst?error=true"
authentication-success-handler-ref="loginSucessHandler" />
<logout invalidate-session="true" logout-success-url="/home.hst"
logout-url="/logout.hst" />
<remember-me key="jbcpHaverERP" authentication-success-handler-ref="loginSucessHandler"/>
<session-management>
<concurrency-control max-sessions="1" />
</session-management>
</http>
LoginSuessHandler类:
LoginSuessHandler class:
@Service
public class LoginSucessHandler extends
SavedRequestAwareAuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication authentication)
throws ServletException, IOException {
...
super.setUseReferer(true);
super.onAuthenticationSuccess(request, response, authentication);
}
}
现在成功重定向到请求页面的问题.如果我直接引用任何安全网址,spring会将我重定向到登录页面,并在成功登录后将其重定向到原始请求的链接. 但是,如果用户之前选择了记住我",然后关闭浏览器并现在请求直接URL,则此方法不起作用,正在对他进行正确的身份验证,而不是将其重定向到请求的页面,而将弹簧重定向到/.我检查了日志和一些spring源代码,发现它无法确定目标url.
now problem of redirect to requested page on success. if i directly refer to any secure url spring redirects me to login page and on successful login to original requested link. but this is not working in case if user had earlier selected remember-me and then closing browser and now requesting direct URL, he is being properly authenticated but instead of redirecting him to requested page spring redirects to /. i have checked log and some spring source code and found it is not able to determine target url.
我尝试设置参照,但参照值为null.但有一件奇怪的事我注意到,在春季安全配置中,如果我从记住我"配置中删除了身份验证成功处理程序,则它可以正常工作.
i have tried to set refer but referer value is null. but one strange thing i have noticed that in spring security configuration if i remove authentication-success-handler from remember-me configuration then it works.
<remember-me key="jbcpHaverERP" authentication-success-handler-ref="loginSucessHandler"/>
无法解决问题.表单登录和记住我"要求身份验证成功处理程序实现不同吗?
not able to figure out issue. is authentication-success-handler implementation requied to be different for form login and remember-me?
推荐答案
Remember-me与form-login的不同之处在于,身份验证发生在用户发出的实际请求中.对于表单登录,必须首先将用户重定向到登录页面,提交登录表单,然后将其重定向到原始目标(通常存储在会话中).因此,表单登录需要重定向,而记住我"则不需要.通过记住我"请求,可以对用户进行身份验证,并且可以在没有任何干预的情况下继续执行请求.
Remember-me differs from form-login in that authentication occurs during the actual request the user makes. For form-login, the user must first be redirected to the login page, submit the login form and after that they are redirected to the original target (which is usually cached in the session). So form-login requires a redirect, whereas remember-me doesn't. With a remember-me request, the user can be authenticated, and the request allowed to proceed without any intervention.
AuthenticationSuccessHandler的主要目的是控制身份验证后的导航流程,因此您通常根本不会将它与记住我"一起使用.使用SavedRequestAwareAuthenticationSuccessHandler并不是一个好主意,因为将无法保存请求.如果没有保存的请求,则默认情况下,它将按照您观察到的那样重定向到"/".
The primary purpose of an AuthenticationSuccessHandler is to control the navigation flow after authentication, so you wouldn't normally use one with remember-me at all. Using SavedRequestAwareAuthenticationSuccessHandler isn't a good idea, as there won't be a saved request available. If there is no saved request, then by default it will perform a redirect to "/" as you have observed.
如果只想在记住我"登录期间添加一些功能,则可以直接实现AuthenticationSuccessHandler接口,而无需执行重定向或转发.如前所述,您不能对表单登录使用相同的实现,因为当前请求是提交登录表单(通常是提交到URL j_spring_security_check),而不是提交给应用程序中的URL.因此,您需要重定向才能进行表单登录.
If all you want is to add some functionality during a remember-me login, then you can implement the AuthenticationSuccessHandler interface directly without performing a redirect or a forward. As I explained above, you can't use the same implementation for form-login, since the current request is the submission of the login form (usually to the URL j_spring_security_check), and not a request to a URL within your application. So you need a redirect for form-login.
这篇关于记住我和身份验证成功处理程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
