尽管成功，Spring Security OAuth2 登录重定向到错误页面 [英] Spring Security OAuth2 login redirect to error page despite being successful

问题描述

为了不泄露机密信息，提供者将被替换为$PROVIDER.

授权有效，但不是将我重定向到索引，而是将我重定向到 /error.

重现步骤

1. 启动应用程序
2. 转到任何页面，它会将我重定向到 http://localhost/oauth_login，其中显示链接 login.
3. 点击链接login(链接到http://localhost/oauth2/authorization/$PROVIDER)
4. 重定向到 http://localhost/error

错误页面显示以下内容(我对其进行了格式化以提高可读性):

<预><代码>{"时间戳":"2018-04-05T14:18:47.720+0000",状态":999，"错误":"无","message":"无可用消息"}

这显然与默认白标错误页面上显示的参数相同，所以实际上，唯一的问题是它是 JSON 格式，除了是一个 HTML 页面.如果我刷新 http://localhost/error 之后，它会向我显示正常的白标错误页面.

现在这就是奇怪的地方，如果我在重定向到错误页面后尝试导航到 http://localhost/，我已经通过身份验证(用户数据在那里，所以授权成功).基本上，问题是我被重定向到 http://localhost/error 而不是 http://localhost/.

因为它功能齐全(除了重定向)，我不会发布整个安全配置，而是将其限制为相关代码:

安全配置

@Overrideprotected void configure(HttpSecurity httpSecurity) 抛出异常 {http安全.csrf().disable().authorizeRequests().anyRequest().认证().和().oauth2Login().loginPage("/oauth_login").defaultSuccessUrl("/").failureUrl("/oauth_login").permitAll().和().登出().logoutUrl("/注销").logoutSuccessUrl("/oauth_login").permitAll();}

相关属性

spring.security.oauth2.client.registration.$PROVIDER.redirectUriTemplate=http://localhost/login/oauth2/code/$PROVIDER

相关信息

• 在网站上通过身份验证后，我可以导航、刷新页面，做任何我想做的事情(直到我退出).

TL;DR 授权有效但重定向到 /error 而不是 /.

解决方案

我实际上找到了我自己问题的答案，但我还是决定发布它，以防有人遇到同样的问题.

.defaultSuccessUrl("/")

应该是

.defaultSuccessUrl("/", true)

如果你不把它设置为true，它会自动将用户重定向到上一个请求，在我的例子中，最后一个请求是到url /error，这解释了我的问题.

通过将其设置为 true，您可以强制用户重定向到您的 defaultSuccessUrl 是什么.

通过查看日志，您实际上可以看到它:

2018-04-05 11:04:09 DEBUG [-nio-80-exec-10] RequestAwareAuthenticationSuccessHandler :重定向到 DefaultSavedRequest Url:http://localhost/error2018-04-05 11:04:09 调试 [-nio-80-exec-10] o.s.security.web.DefaultRedirectStrategy:重定向到http://localhost/error"

As to not reveal confidential information, the provider will be replaced by $PROVIDER.

The authorization works, but instead of redirecting me to the index, it redirects me to /error.

Steps to reproduce

1. Start the application
2. Go on any page, it will redirect me to http://localhost/oauth_login which displays a link login.
3. Click on the link login (which links to http://localhost/oauth2/authorization/$PROVIDER)
4. Get redirected to http://localhost/error

The error page displays the following (I formatted it for readability):

{
    "timestamp":"2018-04-05T14:18:47.720+0000", 
    "status":999, 
    "error":"None", 
    "message":"No message available"
}

This is obviously the same parameters shown on the default Whitelabel Error Page, so really, the only problem is that it's in JSON except of being an HTML page. If I refresh http://localhost/error after, it shows me the normal Whitelabel Error Page.

Now this is where it gets weird, if I try to navigate to http://localhost/ after having been redirected to the error page, I am authenticated (the user data is there, so the authorization was successful). Basically, the issue is that I am redirected to http://localhost/error instead of http://localhost/.

Because it is fully functional (aside from the redirection), I will not post the whole security configuration, but I will instead limit it to relevant code:

SecurityConfiguration

@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity
            .csrf().disable()
            .authorizeRequests().anyRequest()
                .authenticated()
            .and()
                .oauth2Login()
            .loginPage("/oauth_login")
                .defaultSuccessUrl("/")
                .failureUrl("/oauth_login")
                .permitAll()
            .and()
                .logout()
                    .logoutUrl("/logout")
                    .logoutSuccessUrl("/oauth_login").permitAll()
    ;
}

Relevant properties

spring.security.oauth2.client.registration.$PROVIDER.redirectUriTemplate=http://localhost/login/oauth2/code/$PROVIDER

Relevant information

• Once I am authenticated on the website, I can navigate, refresh the page, do whatever I wish (until I log out).

TL;DR Authorization works but redirected to /error instead of /.

解决方案

I actually found the answer to my own question, but I decided to post it anyways in case somebody runs into the same issue.

.defaultSuccessUrl("/")

should have been

.defaultSuccessUrl("/", true)

If you don't set it to true, it will automatically redirect the user to the last previous request, and in my case, the last request is made to the url /error, which explains my problem.

By setting it to true, you force the user to be redirected to whatever your defaultSuccessUrl is.

By looking at the logs, you can actually see it:

2018-04-05 11:04:09 DEBUG [-nio-80-exec-10] RequestAwareAuthenticationSuccessHandler : Redirecting to DefaultSavedRequest Url: http://localhost/error
2018-04-05 11:04:09 DEBUG [-nio-80-exec-10] o.s.security.web.DefaultRedirectStrategy : Redirecting to 'http://localhost/error'

这篇关于尽管成功，Spring Security OAuth2 登录重定向到错误页面的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！