Spring Security JSF在成功完全登录后不会重定向 [英] Spring security jsf not redirecting after successsfull login
问题描述
我看到过这样的问题,但是我没有看到针对我的特定问题的答案.
I have seen questions like this, but I have not seen an answer for my specific question.
我正在使用Spring Security 2.1和jsf 2.1.我有一个自定义的jsf登录控件,该控件已开发用于处理来自xhtml文件的登录.
I am using spring security 2.1 and jsf 2.1. I have a custom jsf login controler that I develop to handle login from xhtml file.
这是登录方法:
public String login() throws ServletException, IOException {
ExternalContext context = FacesContext.getCurrentInstance()
.getExternalContext();
RequestDispatcher dispatcher = ((ServletRequest) context.getRequest())
.getRequestDispatcher("/j_spring_security_check");
dispatcher.forward((ServletRequest) context.getRequest(),
(ServletResponse) context.getResponse());
FacesContext.getCurrentInstance().responseComplete();
Exception e = (Exception) FacesContext.getCurrentInstance().
getExternalContext().getSessionMap().get(WebAttributes.AUTHENTICATION_EXCEPTION);
// It's OK to return null here because Faces is just going to exit.
return null;
}
我从另一篇文章中提取了示例代码.
I pulled the example code from another post.
这是我的弹簧配置:
<http use-expressions="true" auto-config="true">
<!-- <intercept-url pattern="/signin.xhtml" access="permitAll" /> -->
<intercept-url pattern="/internal/private/**" access="hasRole('USER')" />
<!-- <intercept-url pattern="/scheduling/internal/private/**" access="hasAnyRole('ADMIN','USER')"
/> -->
<!--<intercept-url pattern="/javax.faces.resource/**" access="permitAll"/>
<intercept-url pattern="/**" access="permitAll" /> -->
<form-login default-target-url="/internal/private/landing.xhtml"
login-page="/signin.xhtml" />
</http>
您会看到我的默认目标URL是"/internal/private/landing.xhtml".我已打开调试功能,可以看到身份验证已通过,但从未重定向到默认页面.
As you can see my default target URL is "/internal/private/landing.xhtml". I have debug turned on and can see that authentication has passed, but is never redirected to default page.
以下是日志中的片段,其中显示了来自Spring的重定向调用:
Here is a snipped from the log that shows redirection call from Spring:
08:58:03,701 DEBUG [org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy] (http-localhost-127.0.0.1-8080-2) Invalidating session with Id 'qPg2MdmRgSpTcV6CVT7cb-9M.undefined' and migrating attributes.
08:58:03,703 DEBUG [org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy] (http-localhost-127.0.0.1-8080-2) Started new session: GFoQyvUtbd+lmZiNw0QKRrI-.undefined
08:58:03,705 DEBUG [org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter] (http-localhost-127.0.0.1-8080-2) Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@d9fa0ad7: Principal: org.springframework.security.core.userdetails.User@da682271: Username: roland.jones; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMIN,USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: qPg2MdmRgSpTcV6CVT7cb-9M.undefined; Granted Authorities: ADMIN, USER
08:58:03,714 DEBUG [org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler] (http-localhost-127.0.0.1-8080-2) Using default Url: /internal/private/landing.html
08:58:03,716 DEBUG [org.springframework.security.web.DefaultRedirectStrategy] (http-localhost-127.0.0.1-8080-2) Redirecting to '/scheduling/internal/private/landing.html'
08:58:03,718 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] (http-localhost-127.0.0.1-8080-2) SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@d9fa0ad7: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@d9fa0ad7: Principal: org.springframework.security.core.userdetails.User@da682271: Username: roland.jones; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMIN,USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: qPg2MdmRgSpTcV6CVT7cb-9M.undefined; Granted Authorities: ADMIN, USER'
08:58:03,727 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] (http-localhost-127.0.0.1-8080-2) SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@d9fa0ad7: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@d9fa0ad7: Principal: org.springframework.security.core.userdetails.User@da682271: Username: roland.jones; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMIN,USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: qPg2MdmRgSpTcV6CVT7cb-9M.undefined; Granted Authorities: ADMIN, USER'
08:58:05,156 DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter] (http-localhost-127.0.0.1-8080-2) Chain processed normally
尝试登录后,如果我在地址中键入默认URL,则不会出现任何问题,因此我知道身份验证已通过.
After I try to login, if I type in the default URL in the address it goes there no problem, so I know authentication passed.
请帮助.谢谢!
推荐答案
In Spring Security 3.x, you can achieve it using an authentication handler, which allows you writing your custom servlet code to manage a successful authentication. I know you are using Spring Security 2 but if upgrading is an option you can consider it.
我首先声明访问权限的登录表单,并将其提供给每个用户.从Appart来看,我保留了其他网址的限制:
I firstly declare the login form for the access and make it available for every user. Appart from that, I leave the rest of the urls restricted:
<http use-expressions="true">
<intercept-url pattern="/login**" access="permitAll()" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<form-login login-page="/login" default-target-url="/home"
always-use-default-target="false"
authentication-success-handler-ref="authenticationSuccessHandler"
authentication-failure-handler-ref="authenticationFailureHandler" />
<logout logout-success-url="/login" invalidate-session="true" />
</http>
注意,我声明了两个身份验证处理程序,分别是成功和失败.之后,我实现了自己的SystemAuthenticationSuccessHandler
,这使我能够在成功完成身份验证后执行servlet代码:
Notice I declare two authentication handlers, the success and the failure ones. After that, I have my own SystemAuthenticationSuccessHandler
implemented, which provides me the capability of executing servlet code once the authentication is successfully done:
<beans:bean id="authenticationSuccessHandler"
class="com.mycompany.security.SystemAuthenticationSuccessHandler" />
如果验证成功,我可以执行重定向:
With that I'm able to perform a redirection if the authentication is successfully permormed:
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
public class SystemAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest req,
HttpServletResponse res, Authentication auth)
throws IOException, ServletException {
res.sendRedirect(req.getContextPath() + "/home");
}
}
这篇关于Spring Security JSF在成功完全登录后不会重定向的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!