针对已登录用户的Spring安全性重定向问题 [英] Spring security Redirection issue for already logged-in users

问题描述

在使用基于GWT的Web应用程序实现Spring安全性时。我找到。
除了以下事实，一切正常，工作正常：

我打开login.jsp并给出了我的有效用户登录凭据。
提交后，它会成功重定向到主页。现在，当我在地址栏中编辑login.jsp的URL ...令人惊讶的是，它允许打开我的login.jsp，但据我了解..它不应该允许返回到login.jsp直到&除非我已登录。

可能是我的security-context.xml文件配置不正确。

以下是我的security-application-context.xml

 <？xml version =1.0encoding =UTF-8 >？; 
 
 <！ -   -   - 基于样例命名空间的配置 -   - > 
 
< beans：beans xmlns =http://www.springframework.org/schema/security
 xmlns：beans =http://www.springframework.org/schema / beans
 xmlns：xsi =http://www.w3.org/2001/XMLSchema-instance
 xsi：schemaLocation =http://www.springframework.org/schema/beans 
 http://www.springframework.org/schema/beans/spring-beans-2.5.xsd 
 http://www.springframework.org/schema/security 
 http：// www.springframework.org/schema/security/spring-security-2.0.4.xsd\"> 
 
< global-method-security secured-annotations =enabled> 
< / global-method-security> 
 
< beans：bean id =customAuthenticationProcessingFilter
 class =edu.authentication.CustomAuthenticationProcessingFilter> 
< custom-filter position =AUTHENTICATION_PROCESSING_FILTER/> 
< beans：property name =defaultTargetUrlvalue =/ Home.html？gwt.codesvr = 127.0.0.1：9997/> 
< beans：property name =authenticationFailureUrlvalue =/ login.jsp？login_error = 1/> 
< beans：property name =authenticationManagerref =authenticationManager/> 
< / beans：bean> 
 
< beans：bean id =authenticationProcessingFilterEntryPoint
 class =org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint> 
< beans：property name =loginFormUrlvalue =/ login.jsp/> 
< beans：property name =forceHttpsvalue =false/> 
< / beans：bean> 
 
< bean：bean id =customUserDetailsS​​ervice
 class =edu.authentication.CustomUserDetailsS​​ervice> 
< beans：属性名称=urmServiceref =urmService/> 
< / beans：bean> 
 
< http auto-config =falseentry-point-ref =authenticationProcessingFilterEntryPoint> 
 
< intercept-url pattern =/ login.jsp *filters =none/> 
< intercept-url pattern =/ forgot_password.jsp *filters =none/> 
< intercept-url pattern =/ forgotPasswordServlet.do *filters =none/> 
 
< intercept-url pattern =/ myApp / **access =IS_AUTHENTICATED_FULLY/> 
< intercept-url pattern =/ gwt / **access =IS_AUTHENTICATED_FULLY/> 
< intercept-url pattern =/ *。htmlaccess =IS_AUTHENTICATED_FULLY/> 
 
< logout logout-url =/ j_spring_security_logout
 invalidate-session =truelogout-success-url =/ login.jsp？loggedout = true/> 
< / http> 
 
< authentication-manager alias =authenticationManager/> 
 
< authentication-provider user-service-ref =customUserDetailsS​​ervice> 
< password-encoder hash =md5/> 
< / authentication-provider> 
 
< / beans：beans> 
  

任何帮助/建议都会非常值得一看。

Spring Security没有内置任何内容来阻止您在登录后查看登录页面。您可以通过向登录页面添加以下代码来阻止登录页面登录

 <％@ taglib prefix ='sec'uri ='http：//www.springframework .org / security / tags'％> 
< sec：授权ifNotGranted =ROLE_ANONYMOUS> 
 <％response.sendRedirect（/ mainpage.jsp）; ％GT; 
< / sec：授权> 
  

逻辑是，如果用户没有登录，Spring Security会为他们创建一个匿名的Authentication对象并为他们提供ROLE_ANONYMOUS的角色。因此，您只需检查用户是否具有该角色，如果他们不知道，则可以假设他们已登录并将其重定向到应用程序的主页。

While implementing spring security with my GWT based web application. I found that. Everything is working fine as expected, except the below fact:

I opened login.jsp and given my valid user login credentials. after submitting, it successfully redirecting to home page. Now when I am editing the URL to login.jsp in the Address bar... surprisingly it is allowing to open my login.jsp but as far my understanding.. it should not allow to go back to login.jsp untill & unless I am logged-in.

May be my security-context.xml file is not correctly configured.

Below is my security-application-context.xml

<?xml version="1.0" encoding="UTF-8"?>

<!-- - Sample namespace-based configuration - -->

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
                        http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
                        http://www.springframework.org/schema/security
                        http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">

    <global-method-security secured-annotations="enabled">
    </global-method-security>

    <beans:bean id="customAuthenticationProcessingFilter"
        class="edu.authentication.CustomAuthenticationProcessingFilter">
        <custom-filter position="AUTHENTICATION_PROCESSING_FILTER" />
        <beans:property name="defaultTargetUrl" value="/Home.html?gwt.codesvr=127.0.0.1:9997" />
        <beans:property name="authenticationFailureUrl" value="/login.jsp?login_error=1" /> 
        <beans:property name="authenticationManager" ref="authenticationManager" />
    </beans:bean>

    <beans:bean id="authenticationProcessingFilterEntryPoint"
        class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
        <beans:property name="loginFormUrl" value="/login.jsp" />
        <beans:property name="forceHttps" value="false" />
    </beans:bean>

    <beans:bean id="customUserDetailsService"
        class="edu.authentication.CustomUserDetailsService">
        <beans:property name="urmService" ref="urmService" />
    </beans:bean>

    <http auto-config="false" entry-point-ref="authenticationProcessingFilterEntryPoint">

    <intercept-url pattern="/login.jsp*" filters="none" />
        <intercept-url pattern="/forgot_password.jsp*" filters="none" />
        <intercept-url pattern="/forgotPasswordServlet.do*" filters="none" />

    <intercept-url pattern="/myApp/**" access="IS_AUTHENTICATED_FULLY"/>
        <intercept-url pattern="/gwt/**" access="IS_AUTHENTICATED_FULLY"/>
        <intercept-url pattern="/*.html" access="IS_AUTHENTICATED_FULLY"/>

    <logout logout-url="/j_spring_security_logout"
            invalidate-session="true" logout-success-url="/login.jsp?loggedout=true"/>
    </http>

    <authentication-manager alias="authenticationManager" />

    <authentication-provider user-service-ref="customUserDetailsService">
        <password-encoder hash="md5" />
    </authentication-provider>

</beans:beans>

Any help/suggestions would be highly appriciable..

解决方案

There is nothing built into Spring Security to prevent you from viewing the login page after logging in. You can block the login page from logged in users by adding the following code to the top of your login page.

<%@ taglib prefix='sec' uri='http://www.springframework.org/security/tags' %>
<sec:authorize ifNotGranted="ROLE_ANONYMOUS">
  <% response.sendRedirect("/mainpage.jsp"); %>
</sec:authorize>

The logic is that if the user is not logged in Spring Security will create an anonymous Authentication object for them and provide them with the role of ROLE_ANONYMOUS. So you just check to see if the user has that role, and if they don't you can assume that they are logged in and redirect them to the main page of the application.

这篇关于针对已登录用户的Spring安全性重定向问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！