Spring Security:使用特殊的URL参数忽略登录页面 [英] Spring Security: Ignore login page by using a special URL parameter
问题描述
我目前的设置看起来像这样:
I currently have a setup that looks something like this:
spring-security.xml:
<http auto-config="true">
<intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page="/login"
default-target-url="/main.html"
authentication-failure-url="/failedLogin"/>
<logout logout-url="/logout.html" logout-success-url="/login" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="foo" password="bar" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
web.xml:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
这一切似乎都按预期工作,但是,在特殊情况下,我希望绕过登录页面如果用户传入特殊令牌。所以目前,如果用户访问了诸如 / dog
之类的网址,他们将看到登录页面,如果他们传递了 foo /的凭据吧
然后他们将登录并查看与 / dog
对应的页面。
This all seems to work as expected, however, in special situations I want the login page to be bypassed if the user passes in a special token. So currently, if the user goes to a url such as /dog
, they will see the login page and if they pass in the credentials of foo/bar
then they will be logged in and see the page corresponding to /dog
.
我希望能够使用诸如 / dog?token = abcd
之类的URL,它将绕过登录界面并将它们直接带到 / dog
对应的页面。如果他们提供了无效令牌,那么他们只会看到拒绝访问的页面。
I want the ability to use a URL such as /dog?token=abcd
which will bypass the login screen and take them directly to the page corresponding to /dog
. If they provide an invalid token then they would just see an access denied page.
推荐答案
在Spring Security中,您要覆盖的场景参考手册中描述了章节预认证方案 。
In Spring Security the scenario you want to cover is described in reference manual, chapter Pre-Authentication Scenarios.
基本上你必须:
- 通过扩展
AbstractPreAuthenticatedProcessingFilter
或选择其中一个实现, - 注册自定义过滤器
< custom-filter position =PRE_AUTH_FILTERref =yourPreAuthFilter/>
, - 实施或选择一个工具ed
AuthenticationUserDetailsService
s, - 在
PreAuthenticatedAuthenticationProvider
中注册服务(使用< property name =yourPreAuthenticatedUserDetailsService>
)。
- create custom filter by extending
AbstractPreAuthenticatedProcessingFilter
or choosing one of its implementations, - register custom filter
<custom-filter position="PRE_AUTH_FILTER" ref="yourPreAuthFilter" />
, - implement or choose one of implemented
AuthenticationUserDetailsService
s, - register the service in
PreAuthenticatedAuthenticationProvider
(with<property name="yourPreAuthenticatedUserDetailsService">
).
编辑:在此答案中,OP展示了自己的实施方式 PRE_AUTH_FILTER
。
EDIT: In this answer OP shows his way of implementig custom PRE_AUTH_FILTER
.
这篇关于Spring Security:使用特殊的URL参数忽略登录页面的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!