您的位置: 首页  >  技术问答  >  Spring Security自定义身份验证失败处理程序使用参数重定向

Spring Security自定义身份验证失败处理程序使用参数重定向

分类: 技术问答 2022-03-30 00:28:04

Spring Security自定义身份验证失败处理程序使用参数重定向

问题描述:

我在使用参数进行Spring Security身份验证失败处理程序重定向时遇到问题.

I have a problem with Spring Security authentication failure handler redirect with parameter.

在使用

failureUrl("/login.html?error=true")

有效.但是,当我使用自定义身份验证失败处理程序(如下所示)时,它总是返回:url/login.html

it works. But when I use custom authentication failure handler (as shown below), it always returns: url/login.html

getRedirectStrategy().sendRedirect(request, response, "/login.html?error=true");


response.sendRedirect(request.getContextPath() + "/login.html?error=true");

我不知道怎么了.为什么不显示参数?error=true?

I don't know whats wrong. Why does it not show the parameter ?error=true?

信息:我正在使用Spring + JSF + Hibernate + Spring Security

Info: I am using Spring + JSF + Hibernate + Spring Security

@Override
protected void configure(HttpSecurity http) throws Exception {

    http
        .authorizeRequests()
            .anyRequest().authenticated()
            .and()
        .formLogin()
            .loginPage("/login.html")
            .usernameParameter("j_username")
            .passwordParameter("j_password")
            .loginProcessingUrl("/j_spring_security_check")
            .failureHandler(customAuthenticationFailureHandler)// .failureUrl("/login.html?error=true")//.successHandler(authSuccsessHandler)
            .defaultSuccessUrl("/dashboard.html")
            .permitAll()
            .and()
        .logout()
            .invalidateHttpSession(true)
            .logoutSuccessUrl("/")
            .permitAll()
            .and()
        .exceptionHandling()
            .accessDeniedPage("/access.html")
            .and()
        .headers()
            .defaultsDisabled()
            .frameOptions()
            .sameOrigin()
            .cacheControl();

    http
        .csrf().disable();
}

这是自定义身份验证失败处理程序:

This is custom authentication failure handler:

@Component
public class CustomAuthFailureHandler extends SimpleUrlAuthenticationFailureHandler {

    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
            AuthenticationException exception) throws IOException, ServletException {
        getRedirectStrategy().sendRedirect(request, response, "/login.html?error=true");

    }
}

在某些情况下,我会更改参数.

I will change parameter for some cases.

您不允许匿名访问URL /login.html?error=true,因此您将被重定向到登录页面(/login.html).

You didn't allow anonymous access to URL /login.html?error=true, so you are redirected to the login page (/login.html).

AbstractAuthenticationFilterConfigurer#permitAll allows access (for anyone) to failure URL but not for custom failure handler:

确保failureUrl(String)以及HttpSecurityBuildergetLoginPage()getLoginProcessingUrl()的URL被授予任何用户访问权限.

Ensures the urls for failureUrl(String) as well as for the HttpSecurityBuilder, the getLoginPage() and getLoginProcessingUrl() are granted access to any user.

您必须使用

You have to allow access explicitly with AbstractRequestMatcherRegistry#antMatchers:

映射一个AntPathRequestMatcher实例列表,这些实例与使用哪个HttpMethod无关.

Maps a List of AntPathRequestMatcher instances that do not care which HttpMethod is used.

指定任何人都可以使用URL.

Specify that URLs are allowed by anyone.

您不必允许使用确切的URL /login.html?error=true,因为查询字符串:

You don't have to allow the exact URL /login.html?error=true, because AntPathRequestMatcher ignores the query string:

匹配器,它将预定义的蚂蚁样式模式与HttpServletRequest的URL(servletPath + pathInfo)进行比较. URL的查询字符串将被忽略,并且匹配是区分大小写的还是区分大小写的,具体取决于传递给构造函数的参数.

Matcher which compares a pre-defined ant-style pattern against the URL ( servletPath + pathInfo) of an HttpServletRequest. The query string of the URL is ignored and matching is case-insensitive or case-sensitive depending on the arguments passed into the constructor.

您修改后的配置:

@Override
protected void configure(HttpSecurity http) throws Exception {

    http
        .authorizeRequests()
            .antMatchers("/login.html").permitAll()
            .anyRequest().authenticated()
            .and()
        .formLogin()
            .loginPage("/login.html")
            .usernameParameter("j_username")
            .passwordParameter("j_password")
            .loginProcessingUrl("/j_spring_security_check")
            .failureHandler(customAuthenticationFailureHandler)// .failureUrl("/login.html?error=true")//.successHandler(authSuccsessHandler)
            .defaultSuccessUrl("/dashboard.html")
            .permitAll()
            .and()
        .logout()
            .invalidateHttpSession(true)
            .logoutSuccessUrl("/")
            .permitAll()
            .and()
        .exceptionHandling()
            .accessDeniedPage("/access.html")
            .and()
        .headers()
            .defaultsDisabled()
            .frameOptions()
            .sameOrigin()
            .cacheControl();

    http
        .csrf().disable();
}

相关推荐