根据 spring security 3.1 中的角色确定目标 url [英] determine target url based on roles in spring security 3.1

问题描述

在 spring security 3.0 中，我们有 AuthenticationProcessingFilter 类，在该类中我们使用了 determineTargetUrl() 方法，该方法根据不同的角色返回 url.

In spring security 3.0, we are having AuthenticationProcessingFilter class, in which we were using determineTargetUrl() method, which returned the url based on different roles.

现在，我们正在迁移到 spring security 3.1.0.RC3，我被困住了，我现在应该如何根据不同的角色确定 url，因为 AuthenticationProcessingFilter 类已从新版本中删除.任何人都可以给我一些代码的简要步骤，以便我可以实现自定义过滤器以重定向到不同角色的不同页面.

Now, we are moving to spring security 3.1.0.RC3 and I am stuck how should I now determine the url based on different roles as AuthenticationProcessingFilter class has been removed from new version. Can anyone please give me steps in brief with some code so that I can implement custom filter to redirect to different pages for different roles.

推荐答案

根据角色确定目标 url 的最佳方法是在 Spring Security 配置中指定目标 url，如下所示.这将适用于 Spring 3.0 或 3.1

The best way to determine the target url based upon roles is to specify a target url in your Spring Security configuration as shown below. This will work in Spring 3.0 or 3.1

<http>
    ... 
    <form-login login-page="/login" default-target-url="/default"/>
</http>

然后创建一个处理default-target-url的控制器.控制器应根据滚动重定向或转发.下面是一个使用 Spring MVC 的示例，但任何类型的控制器都可以工作(例如 Struts、Servlet 等).

Then create a controller that processes the default-target-url. The controller should redirect or forward based upon rolls. Below is an example of using Spring MVC, but any type of controller will work (i.e. Struts, a Servlet, etc).

@Controller
public class DefaultController {
    @RequestMapping("/default")
    public String defaultAfterLogin(HttpServletRequest request) {
        if (request.isUserInRole("ROLE_ADMIN")) {
            return "redirect:/users/sessions";
        }
        return "redirect:/messages/inbox";
    }
}

这种方法的优点是它不耦合到任何特定的 Security 实现，不耦合到任何特定的 MVC 实现，并且它可以轻松地与 Spring Security 命名空间配置一起使用.一个完整的例子可以在我今年在 SpringOne 上展示的 SecureMail 项目中找到.

The advantages to this approach are it is not coupled to any specific implementation of Security, it is not coupled to any specific MVC implementation, and it works easily with Spring Security namespace configuration. A full example can be found in the SecureMail project I presented at SpringOne this year.

另一种方法是您可以创建自定义 AuthenticationSuccessHandler.该实现可能会扩展 SavedRequestAwareAuthenticationSuccessHandler，它是默认的 AuthenticationSuccessHandler.然后可以使用命名空间连接它，如下所示.

An alternative is that you could create a custom AuthenticationSuccessHandler. The implementation might extend SavedRequestAwareAuthenticationSuccessHandler which is the default AuthenticationSuccessHandler. it could then be wired using the namespace as shown below.

<sec:http>
    <sec:form-login authentication-success-handler-ref="authSuccessHandler"/>
</sec:http>
<bean:bean class="example.MyCustomAuthenticationSuccessHandler"/>

我不建议这样做，因为它与 Spring Security API 相关，最好尽可能避免这种情况.

I would not recommend doing this as it is tied to Spring Security API's and it is better to avoid that when possible.

这篇关于根据 spring security 3.1 中的角色确定目标 url的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！