Spring Security 自定义身份验证失败处理程序重定向参数 [英] Spring Security custom authentication failure handler redirect with parameter

问题描述

我在使用参数重定向 Spring Security 身份验证失败处理程序时遇到问题.

I have a problem with Spring Security authentication failure handler redirect with parameter.

在我使用时的安全配置

failureUrl("/login.html?error=true")

它有效.但是当我使用自定义身份验证失败处理程序时(如下所示)，它总是返回:url/login.html

it works. But when I use custom authentication failure handler (as shown below), it always returns: url/login.html

getRedirectStrategy().sendRedirect(request, response, "/login.html?error=true");

或

response.sendRedirect(request.getContextPath() + "/login.html?error=true");

我不知道怎么了.为什么不显示参数?error=true?

I don't know whats wrong. Why does it not show the parameter ?error=true?

信息:我使用的是 Spring + JSF + Hibernate + Spring Security

Info: I am using Spring + JSF + Hibernate + Spring Security

@Override
protected void configure(HttpSecurity http) throws Exception {

    http
        .authorizeRequests()
            .anyRequest().authenticated()
            .and()
        .formLogin()
            .loginPage("/login.html")
            .usernameParameter("j_username")
            .passwordParameter("j_password")
            .loginProcessingUrl("/j_spring_security_check")
            .failureHandler(customAuthenticationFailureHandler)// .failureUrl("/login.html?error=true")//.successHandler(authSuccsessHandler)
            .defaultSuccessUrl("/dashboard.html")
            .permitAll()
            .and()
        .logout()
            .invalidateHttpSession(true)
            .logoutSuccessUrl("/")
            .permitAll()
            .and()
        .exceptionHandling()
            .accessDeniedPage("/access.html")
            .and()
        .headers()
            .defaultsDisabled()
            .frameOptions()
            .sameOrigin()
            .cacheControl();

    http
        .csrf().disable();
}

这是自定义身份验证失败处理程序:

This is custom authentication failure handler:

@Component
public class CustomAuthFailureHandler extends SimpleUrlAuthenticationFailureHandler {

    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
            AuthenticationException exception) throws IOException, ServletException {
        getRedirectStrategy().sendRedirect(request, response, "/login.html?error=true");

    }
}

我会在某些情况下更改参数.

I will change parameter for some cases.

推荐答案

你没有允许匿名访问 URL /login.html?error=true，所以你被重定向到登录页面(/login.html).

You didn't allow anonymous access to URL /login.html?error=true, so you are redirected to the login page (/login.html).

AbstractAuthenticationFilterConfigurer#permitAll 允许(对于任何人)访问失败 URL，但不允许访问自定义失败处理程序:

AbstractAuthenticationFilterConfigurer#permitAll allows access (for anyone) to failure URL but not for custom failure handler:

确保 failureUrl(String) 以及 HttpSecurityBuilder、getLoginPage() 和 getLoginProcessingUrl() 的 url 被授予任何用户的访问权限.

Ensures the urls for failureUrl(String) as well as for the HttpSecurityBuilder, the getLoginPage() and getLoginProcessingUrl() are granted access to any user.

您必须使用 AbstractRequestMatcherRegistry#antMatchers:

You have to allow access explicitly with AbstractRequestMatcherRegistry#antMatchers:

映射不关心使用哪个 HttpMethod 的 AntPathRequestMatcher 实例列表.

Maps a List of AntPathRequestMatcher instances that do not care which HttpMethod is used.

和 ExpressionUrlAuthorizationConfigurer.AuthorizedUrl#permitAll:

指定任何人都允许使用 URL.

Specify that URLs are allowed by anyone.

您不必允许确切的 URL /login.html?error=true，因为 AntPathRequestMatcher 忽略 查询字符串:

You don't have to allow the exact URL /login.html?error=true, because AntPathRequestMatcher ignores the query string:

Matcher 将预定义的 ant 样式模式与 HttpServletRequest 的 URL(servletPath + pathInfo)进行比较.URL 的查询字符串将被忽略，匹配是不区分大小写或区分大小写的，具体取决于传递给构造函数的参数.

Matcher which compares a pre-defined ant-style pattern against the URL ( servletPath + pathInfo) of an HttpServletRequest. The query string of the URL is ignored and matching is case-insensitive or case-sensitive depending on the arguments passed into the constructor.

您修改后的配置:

@Override
protected void configure(HttpSecurity http) throws Exception {

    http
        .authorizeRequests()
            .antMatchers("/login.html").permitAll()
            .anyRequest().authenticated()
            .and()
        .formLogin()
            .loginPage("/login.html")
            .usernameParameter("j_username")
            .passwordParameter("j_password")
            .loginProcessingUrl("/j_spring_security_check")
            .failureHandler(customAuthenticationFailureHandler)// .failureUrl("/login.html?error=true")//.successHandler(authSuccsessHandler)
            .defaultSuccessUrl("/dashboard.html")
            .permitAll()
            .and()
        .logout()
            .invalidateHttpSession(true)
            .logoutSuccessUrl("/")
            .permitAll()
            .and()
        .exceptionHandling()
            .accessDeniedPage("/access.html")
            .and()
        .headers()
            .defaultsDisabled()
            .frameOptions()
            .sameOrigin()
            .cacheControl();

    http
        .csrf().disable();
}

这篇关于Spring Security 自定义身份验证失败处理程序重定向参数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！