Spring Security 自定义身份验证失败处理程序重定向参数 [英] Spring Security custom authentication failure handler redirect with parameter
问题描述
我在使用参数重定向 Spring Security 身份验证失败处理程序时遇到问题.
I have a problem with Spring Security authentication failure handler redirect with parameter.
在我使用时的安全配置
failureUrl("/login.html?error=true")
它有效.但是当我使用自定义身份验证失败处理程序时(如下所示),它总是返回:url/login.html
it works. But when I use custom authentication failure handler (as shown below), it always returns: url/login.html
getRedirectStrategy().sendRedirect(request, response, "/login.html?error=true");
或
response.sendRedirect(request.getContextPath() + "/login.html?error=true");
我不知道怎么了.为什么不显示参数?error=true
?
I don't know whats wrong. Why does it not show the parameter ?error=true
?
信息:我使用的是 Spring + JSF + Hibernate + Spring Security
Info: I am using Spring + JSF + Hibernate + Spring Security
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login.html")
.usernameParameter("j_username")
.passwordParameter("j_password")
.loginProcessingUrl("/j_spring_security_check")
.failureHandler(customAuthenticationFailureHandler)// .failureUrl("/login.html?error=true")//.successHandler(authSuccsessHandler)
.defaultSuccessUrl("/dashboard.html")
.permitAll()
.and()
.logout()
.invalidateHttpSession(true)
.logoutSuccessUrl("/")
.permitAll()
.and()
.exceptionHandling()
.accessDeniedPage("/access.html")
.and()
.headers()
.defaultsDisabled()
.frameOptions()
.sameOrigin()
.cacheControl();
http
.csrf().disable();
}
这是自定义身份验证失败处理程序:
This is custom authentication failure handler:
@Component
public class CustomAuthFailureHandler extends SimpleUrlAuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
AuthenticationException exception) throws IOException, ServletException {
getRedirectStrategy().sendRedirect(request, response, "/login.html?error=true");
}
}
我会在某些情况下更改参数.
I will change parameter for some cases.
推荐答案
你没有允许匿名访问 URL /login.html?error=true
,所以你被重定向到登录页面(/login.html
).
You didn't allow anonymous access to URL /login.html?error=true
, so you are redirected to the login page (/login.html
).
AbstractAuthenticationFilterConfigurer#permitAll
允许(对于任何人)访问失败 URL,但不允许访问自定义失败处理程序:
AbstractAuthenticationFilterConfigurer#permitAll
allows access (for anyone) to failure URL but not for custom failure handler:
确保 failureUrl(String)
以及 HttpSecurityBuilder
、getLoginPage()
和 getLoginProcessingUrl() 的 url
被授予任何用户的访问权限.
Ensures the urls for
failureUrl(String)
as well as for theHttpSecurityBuilder
, thegetLoginPage()
andgetLoginProcessingUrl()
are granted access to any user.
您必须使用 AbstractRequestMatcherRegistry#antMatchers
:
You have to allow access explicitly with AbstractRequestMatcherRegistry#antMatchers
:
映射不关心使用哪个 HttpMethod
的 AntPathRequestMatcher
实例列表.
Maps a List of
AntPathRequestMatcher
instances that do not care whichHttpMethod
is used.
和 ExpressionUrlAuthorizationConfigurer.AuthorizedUrl#permitAll
:
指定任何人都允许使用 URL.
Specify that URLs are allowed by anyone.
您不必允许确切的 URL /login.html?error=true
,因为 AntPathRequestMatcher
忽略
You don't have to allow the exact URL /login.html?error=true
, because AntPathRequestMatcher
ignores the query string:
Matcher 将预定义的 ant 样式模式与 HttpServletRequest
的 URL(servletPath
+ pathInfo
)进行比较.URL 的查询字符串将被忽略,匹配是不区分大小写或区分大小写的,具体取决于传递给构造函数的参数.
Matcher which compares a pre-defined ant-style pattern against the URL (
servletPath
+pathInfo
) of anHttpServletRequest
. The query string of the URL is ignored and matching is case-insensitive or case-sensitive depending on the arguments passed into the constructor.
您修改后的配置:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/login.html").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login.html")
.usernameParameter("j_username")
.passwordParameter("j_password")
.loginProcessingUrl("/j_spring_security_check")
.failureHandler(customAuthenticationFailureHandler)// .failureUrl("/login.html?error=true")//.successHandler(authSuccsessHandler)
.defaultSuccessUrl("/dashboard.html")
.permitAll()
.and()
.logout()
.invalidateHttpSession(true)
.logoutSuccessUrl("/")
.permitAll()
.and()
.exceptionHandling()
.accessDeniedPage("/access.html")
.and()
.headers()
.defaultsDisabled()
.frameOptions()
.sameOrigin()
.cacheControl();
http
.csrf().disable();
}
这篇关于Spring Security 自定义身份验证失败处理程序重定向参数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!