尽管成功,Spring Security OAuth2 登录重定向到错误页面 [英] Spring Security OAuth2 login redirect to error page despite being successful
问题描述
为了不泄露机密信息,提供者将被替换为$PROVIDER
.
授权有效,但不是将我重定向到索引,而是将我重定向到 /error
.
重现步骤
- 启动应用程序
- 转到任何页面,它会将我重定向到
http://localhost/oauth_login
,其中显示链接login
. - 点击链接
login
(链接到http://localhost/oauth2/authorization/$PROVIDER
) - 重定向到
http://localhost/error
错误页面显示以下内容(我对其进行了格式化以提高可读性):
<预><代码>{"时间戳":"2018-04-05T14:18:47.720+0000",状态":999,"错误":"无","message":"无可用消息"}这显然与默认白标错误页面上显示的参数相同,所以实际上,唯一的问题是它是 JSON 格式,除了是一个 HTML 页面.如果我刷新 http://localhost/error
之后,它会向我显示正常的白标错误页面.
现在这就是奇怪的地方,如果我在重定向到错误页面后尝试导航到 http://localhost/
,我已经通过身份验证(用户数据在那里,所以授权成功).基本上,问题是我被重定向到 http://localhost/error
而不是 http://localhost/
.
因为它功能齐全(除了重定向),我不会发布整个安全配置,而是将其限制为相关代码:
安全配置
@Overrideprotected void configure(HttpSecurity httpSecurity) 抛出异常 {http安全.csrf().disable().authorizeRequests().anyRequest().认证().和().oauth2Login().loginPage("/oauth_login").defaultSuccessUrl("/").failureUrl("/oauth_login").permitAll().和().登出().logoutUrl("/注销").logoutSuccessUrl("/oauth_login").permitAll();}
相关属性
spring.security.oauth2.client.registration.$PROVIDER.redirectUriTemplate=http://localhost/login/oauth2/code/$PROVIDER
相关信息
- 在网站上通过身份验证后,我可以导航、刷新页面,做任何我想做的事情(直到我退出).
TL;DR 授权有效但重定向到 /error
而不是 /
.
我实际上找到了我自己问题的答案,但我还是决定发布它,以防有人遇到同样的问题.
.defaultSuccessUrl("/")
应该是
.defaultSuccessUrl("/", true)
如果你不把它设置为true
,它会自动将用户重定向到上一个请求,在我的例子中,最后一个请求是到url /error
,这解释了我的问题.
通过将其设置为 true
,您可以强制用户重定向到您的 defaultSuccessUrl
是什么.
通过查看日志,您实际上可以看到它:
2018-04-05 11:04:09 DEBUG [-nio-80-exec-10] RequestAwareAuthenticationSuccessHandler :重定向到 DefaultSavedRequest Url:http://localhost/error2018-04-05 11:04:09 调试 [-nio-80-exec-10] o.s.security.web.DefaultRedirectStrategy:重定向到http://localhost/error"
As to not reveal confidential information, the provider will be replaced by $PROVIDER
.
The authorization works, but instead of redirecting me to the index, it redirects me to /error
.
Steps to reproduce
- Start the application
- Go on any page, it will redirect me to
http://localhost/oauth_login
which displays a linklogin
. - Click on the link
login
(which links tohttp://localhost/oauth2/authorization/$PROVIDER
) - Get redirected to
http://localhost/error
The error page displays the following (I formatted it for readability):
{
"timestamp":"2018-04-05T14:18:47.720+0000",
"status":999,
"error":"None",
"message":"No message available"
}
This is obviously the same parameters shown on the default Whitelabel Error Page, so really, the only problem is that it's in JSON except of being an HTML page. If I refresh http://localhost/error
after, it shows me the normal Whitelabel Error Page.
Now this is where it gets weird, if I try to navigate to http://localhost/
after having been redirected to the error page, I am authenticated (the user data is there, so the authorization was successful). Basically, the issue is that I am redirected to http://localhost/error
instead of http://localhost/
.
Because it is fully functional (aside from the redirection), I will not post the whole security configuration, but I will instead limit it to relevant code:
SecurityConfiguration
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.csrf().disable()
.authorizeRequests().anyRequest()
.authenticated()
.and()
.oauth2Login()
.loginPage("/oauth_login")
.defaultSuccessUrl("/")
.failureUrl("/oauth_login")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/oauth_login").permitAll()
;
}
Relevant properties
spring.security.oauth2.client.registration.$PROVIDER.redirectUriTemplate=http://localhost/login/oauth2/code/$PROVIDER
Relevant information
- Once I am authenticated on the website, I can navigate, refresh the page, do whatever I wish (until I log out).
TL;DR Authorization works but redirected to /error
instead of /
.
I actually found the answer to my own question, but I decided to post it anyways in case somebody runs into the same issue.
.defaultSuccessUrl("/")
should have been
.defaultSuccessUrl("/", true)
If you don't set it to true
, it will automatically redirect the user to the last previous request, and in my case, the last request is made to the url /error
, which explains my problem.
By setting it to true
, you force the user to be redirected to whatever your defaultSuccessUrl
is.
By looking at the logs, you can actually see it:
2018-04-05 11:04:09 DEBUG [-nio-80-exec-10] RequestAwareAuthenticationSuccessHandler : Redirecting to DefaultSavedRequest Url: http://localhost/error
2018-04-05 11:04:09 DEBUG [-nio-80-exec-10] o.s.security.web.DefaultRedirectStrategy : Redirecting to 'http://localhost/error'
这篇关于尽管成功,Spring Security OAuth2 登录重定向到错误页面的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!