已登录用户的 Spring 安全重定向问题 [英] Spring security Redirection issue for already logged-in users

问题描述

在使用基于 GWT 的 Web 应用程序实现 spring 安全性时.我找到.一切都按预期工作正常，除了以下事实:

While implementing spring security with my GWT based web application. I found that. Everything is working fine as expected, except the below fact:

我打开了 login.jsp 并提供了我的有效用户登录凭据.提交后，成功跳转到首页.现在，当我在地址栏中编辑 login.jsp 的 URL 时......令人惊讶的是它允许打开我的 login.jsp 但据我了解......它不应该允许返回 login.jsp 直到 &除非我已登录.

I opened login.jsp and given my valid user login credentials. after submitting, it successfully redirecting to home page. Now when I am editing the URL to login.jsp in the Address bar... surprisingly it is allowing to open my login.jsp but as far my understanding.. it should not allow to go back to login.jsp untill & unless I am logged-in.

可能是我的 security-context.xml 文件没有正确配置.

May be my security-context.xml file is not correctly configured.

下面是我的 security-application-context.xml

Below is my security-application-context.xml

<?xml version="1.0" encoding="UTF-8"?>

<!-- - Sample namespace-based configuration - -->

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
                        http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
                        http://www.springframework.org/schema/security
                        http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">

    <global-method-security secured-annotations="enabled">
    </global-method-security>

    <beans:bean id="customAuthenticationProcessingFilter"
        class="edu.authentication.CustomAuthenticationProcessingFilter">
        <custom-filter position="AUTHENTICATION_PROCESSING_FILTER" />
        <beans:property name="defaultTargetUrl" value="/Home.html?gwt.codesvr=127.0.0.1:9997" />
        <beans:property name="authenticationFailureUrl" value="/login.jsp?login_error=1" /> 
        <beans:property name="authenticationManager" ref="authenticationManager" />
    </beans:bean>

    <beans:bean id="authenticationProcessingFilterEntryPoint"
        class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
        <beans:property name="loginFormUrl" value="/login.jsp" />
        <beans:property name="forceHttps" value="false" />
    </beans:bean>

    <beans:bean id="customUserDetailsService"
        class="edu.authentication.CustomUserDetailsService">
        <beans:property name="urmService" ref="urmService" />
    </beans:bean>

    <http auto-config="false" entry-point-ref="authenticationProcessingFilterEntryPoint">

    <intercept-url pattern="/login.jsp*" filters="none" />
        <intercept-url pattern="/forgot_password.jsp*" filters="none" />
        <intercept-url pattern="/forgotPasswordServlet.do*" filters="none" />

    <intercept-url pattern="/myApp/**" access="IS_AUTHENTICATED_FULLY"/>
        <intercept-url pattern="/gwt/**" access="IS_AUTHENTICATED_FULLY"/>
        <intercept-url pattern="/*.html" access="IS_AUTHENTICATED_FULLY"/>

    <logout logout-url="/j_spring_security_logout"
            invalidate-session="true" logout-success-url="/login.jsp?loggedout=true"/>
    </http>

    <authentication-manager alias="authenticationManager" />

    <authentication-provider user-service-ref="customUserDetailsService">
        <password-encoder hash="md5" />
    </authentication-provider>

</beans:beans>

任何帮助/建议都非常有用..

Any help/suggestions would be highly appriciable..

推荐答案

Spring Security 没有内置任何内容来阻止您登录后查看登录页面.您可以通过添加以下内容来阻止登录页面被登录用户访问代码添加到登录页面的顶部.

There is nothing built into Spring Security to prevent you from viewing the login page after logging in. You can block the login page from logged in users by adding the following code to the top of your login page.

<%@ taglib prefix='sec' uri='http://www.springframework.org/security/tags' %>
<sec:authorize ifNotGranted="ROLE_ANONYMOUS">
  <% response.sendRedirect("/mainpage.jsp"); %>
</sec:authorize>

逻辑是如果用户没有登录Spring Security会为他们创建一个匿名的Authentication对象，并为他们提供ROLE_ANONYMOUS这个角色.因此，您只需检查用户是否具有该角色，如果没有，您可以假设他们已登录并将其重定向到应用程序的主页.

The logic is that if the user is not logged in Spring Security will create an anonymous Authentication object for them and provide them with the role of ROLE_ANONYMOUS. So you just check to see if the user has that role, and if they don't you can assume that they are logged in and redirect them to the main page of the application.

这篇关于已登录用户的 Spring 安全重定向问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！