Spring Security：使用特殊的URL参数忽略登录页面 [英] Spring Security: Ignore login page by using a special URL parameter

问题描述

我目前的设置看起来像这样：

I currently have a setup that looks something like this:

spring-security.xml：

<http auto-config="true">
    <intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <intercept-url pattern="/**" access="ROLE_USER" />
    <form-login login-page="/login"
                default-target-url="/main.html"
                authentication-failure-url="/failedLogin"/>
    <logout logout-url="/logout.html" logout-success-url="/login" />
</http>

<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="foo" password="bar" authorities="ROLE_USER" />                
        </user-service>
    </authentication-provider>
</authentication-manager>

web.xml：

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

这一切似乎都按预期工作，但是，在特殊情况下，我希望绕过登录页面如果用户传入特殊令牌。所以目前，如果用户访问了诸如 / dog 之类的网址，他们将看到登录页面，如果他们传递了 foo /的凭据吧然后他们将登录并查看与 / dog 对应的页面。

This all seems to work as expected, however, in special situations I want the login page to be bypassed if the user passes in a special token. So currently, if the user goes to a url such as /dog, they will see the login page and if they pass in the credentials of foo/bar then they will be logged in and see the page corresponding to /dog.

我希望能够使用诸如 / dog？token = abcd 之类的URL，它将绕过登录界面并将它们直接带到 / dog 对应的页面。如果他们提供了无效令牌，那么他们只会看到拒绝访问的页面。

I want the ability to use a URL such as /dog?token=abcd which will bypass the login screen and take them directly to the page corresponding to /dog. If they provide an invalid token then they would just see an access denied page.

推荐答案

在Spring Security中，您要覆盖的场景参考手册中描述了章节预认证方案 。

In Spring Security the scenario you want to cover is described in reference manual, chapter Pre-Authentication Scenarios.

基本上你必须：

• 通过扩展 AbstractPreAuthenticatedProcessingFilter 或选择其中一个实现，


• 注册自定义过滤器< custom-filter position =PRE_AUTH_FILTERref =yourPreAuthFilter/> ，


• 实施或选择一个工具ed AuthenticationUserDetailsS​​ervice s，


• 在 PreAuthenticatedAuthenticationProvider 中注册服务（使用< property name =yourPreAuthenticatedUserDetailsS​​ervice> ）。

• create custom filter by extending AbstractPreAuthenticatedProcessingFilter or choosing one of its implementations,
• register custom filter <custom-filter position="PRE_AUTH_FILTER" ref="yourPreAuthFilter" />,
• implement or choose one of implemented AuthenticationUserDetailsServices,
• register the service in PreAuthenticatedAuthenticationProvider (with <property name="yourPreAuthenticatedUserDetailsService">).

编辑：在此答案中，OP展示了自己的实施方式 PRE_AUTH_FILTER 。

EDIT: In this answer OP shows his way of implementig custom PRE_AUTH_FILTER.

这篇关于Spring Security：使用特殊的URL参数忽略登录页面的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！