Spring Security 3.1允许用户签名并进入受限制的页面 [英] spring security 3.1 allow user to sign and proceed to restricted pages

问题描述

我正在使用Spring Security 3.1进行身份验证，并且登录工作正常.用户注册后，我希望用户无需登录即可进入受限制的页面.

I'm using Spring Security 3.1 for authentication and the login works fine. When a user signs up, I would like the user to proceed to the restricted pages without having to login.

在stackoverflow上有几个类似的问题，答案略有不同，我已经尝试过这些，但似乎对我没有任何帮助.这是我的安全配置:

There are several similar questions on stackoverflow with slightly different answers and I've tried these, but nothing seems to work for me. Here's my security configuration:

<http pattern="/resources/**" security="none" />       
<http pattern="/login" security="none" /> 
<http pattern="/user/forgotPassword" security="none" />
<http pattern="/user/createAccount" security="none" />
<http>
    <intercept-url pattern="/**" access="ROLE_USER" /> 
    <form-login login-page="/login" default-target-url="/defaultUrl"
        always-use-default-target="true"
        authentication-failure-url="/loginfailed" />
</http>

这是我的代码(在创建用户并将其添加到数据库之后):

And here's my code (after user has been created and added to the database):

UsernamePasswordAuthenticationToken upaToken = new UsernamePasswordAuthenticationToken(user.getName(), user.getPassword());
request.getSession();
upaToken.setDetails(new WebAuthenticationDetails(request));
Authentication auth = authenticationManager.authenticate(upaToken);
SecurityContextHolder.getContext().setAuthentication(upaToken);

return "redirect:<restricted-page>";

显示登录页面，而不是重定向到受限页面.我想念什么?

Instead of being redirected to the restricted page, the login page is displayed. What am I missing?

我也想避免调用该电话来验证用户身份.似乎没有必要，因为用户刚刚注册.但是删除它似乎并没有改变任何东西.

I would also like to avoid the call to authenticate the user. It seems unnecessary because the user has just signed up. But deleting it doesn't seem to change anything.

推荐答案

问题的根本原因是由于以下规则，/user/createAccount URL未被spring安全过滤器覆盖:

The root cause of the problem is that your /user/createAccount URL is not covered by spring security filters due to following rule:

<http pattern="/user/createAccount" security="none" />

Spring Security过滤器之一可以自动在请求之间保留SecurityContext.与其进行低级会话操作，不如为/user/createAccount启用过滤器链并允许任何用户访问此URL，将更好.您可以使用以下语法进行操作:

One of Spring Security filters can automatically keep SecurityContext between requests. Instead of doing low level session manipulation it will be better to enable filter chain for /user/createAccount and permit to any user visit this URL. You can do it using following syntax:

<http>
    <intercept-url pattern="/user/createAccount" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <intercept-url pattern="/**" access="ROLE_USER" /> 
    ...
</http>

通常，最好为每个URL保留有效的spring安全过滤器链，并且不要手动重写其功能.

In general it is better to leave working spring security filter chain for each URL and do not rewrite their functionality by hands.

这篇关于Spring Security 3.1允许用户签名并进入受限制的页面的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！