春季安全"前锋:"指令不能转发登录表单 [英] Spring security "forward:" directive can't forward to login form
问题描述
在用户创建自己的账号,我要登录该用户自动打开。
我有标准形式登录由泉过滤处理的 / postlogin 。如果我去的http://本地主机/ postlogin 它试图登录我的(失败了,因为我不包括POST参数),但进行适当的尝试<。 / p>
但是,如果我要登录编程的用户,我尝试从控制器返回:前进:/ postlogin我得到404
我承担着:指令不通过过滤器,因而没有得到由 UsernamePasswordAuthenticationFilter 处理。
如何手动诱发登录编程?我想这样做的用户创建一个新帐户后(他们应该立即登记完成后,登录到该帐户)。
我误读另一片指导,并意识到,处理这个正确的做法是:
1)手动设置的身份验证令牌上SecurityContextHolder中
UsernamePasswordWithAttributesAuthenticationToken authenticationToken =新UsernamePasswordAuthenticationToken(loadUserByUsername(用户名),密码,主管部门);
。SecurityContextHolder.getContext()setAuthentication(authenticationToken);
2)的不的在这一点上呈现页面或者使用转发:指令。您必须使用重定向:指令
回归重定向:/ accountcreated
如果您呈现一个页面,页面会载入罚款,但会话对象将丢失,因为一个新的j_session_id将被创建,但不会使其对浏览器的中端请求,下一个请求将使用旧j_session_id,松动新的会话对象和放大器; authetication。
使用前进:指令将绕过身份验证筛选器,没有好
。但重定向:使更新后的会话信息,以使它的浏览器
After a user creates their account, I want to log that user on automatically.
I have standard form logins being handled by Springs filter on /postlogin. If I go to http://localhost/postlogin it attempts to log me in (fails because I didn't include the post parameters), but makes the proper attempt.
But if I want to log the user in programatically and I try to return from the controller: "forward:/postlogin" I get a 404.
I assume the forward: directive is not passing through the filters, thus not getting handled by the UsernamePasswordAuthenticationFilter.
How do I manually induce a login programatically? I want to do this after the user creates a new account (they should be logged into that account immediately upon completion of the registration).
I mis-read another piece of guidance and realized that the correct way of handling this is the following:
1) Manually set the Authentication token on SecurityContextHolder
UsernamePasswordWithAttributesAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken( loadUserByUsername(username), password, authorities );
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
2) Do Not render a page at this point or use the forward: directive. You must use the redirect: directive.
return "redirect:/accountcreated";
If you render a page the page will load fine, but the session object will be lost because a new j_session_id will be created but will not make it to the browser mid-request and the next request will use the old j_session_id, loosing the new session object & authetication.
Using the forward: directive will bypass the authentication filters, no good.
But redirect: causes the updated session information to make it to the browser.
这篇关于春季安全&QUOT;前锋:&QUOT;指令不能转发登录表单的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
