使用 Spring Security 根据用户角色登录后重定向到不同的页面

Posted

技术标签:

【中文标题】使用 Spring Security 根据用户角色登录后重定向到不同的页面【英文标题】:Redirect to different page after login based on user role with Spring Security 【发布时间】:2021-08-03 19:37:48 【问题描述】: 

<!DOCTYPE html>
<html>
<head>
<meta charset="ISO-8859-1">
<title>Welcome to Akash Home</title>
<link rel="stylesheet" type="text/css"
    href="/webjars/bootstrap/css/bootstrap.min.css" />
<script type="text/javascript" src="/webjars/jquery/jquery.min.js"></script>
<script type="text/javascript"
    src="/webjars/bootstrap/js/bootstrap.min.js"></script>
</head>
<body>
    <div class="container text-center">
        <h1>Welcome to the portal</h1>
        <h3>
            <a href="/register">Register</a>
        </h3>
        <h3>
            <a href="show-menu-list-admin">Login as a admin</a><br>
            <a href="show-menu-list-customer">Login as a user</a><br>
            <!--        <a href="login">login</a> -->
            <a href="logout">logout</a>
        </h3>
    </div>

</body>
</html>

在这里,我正在创建单独的链接,以便以管理员/用户身份登录。如何根据输入的凭据添加单个登录页面重定向到下一页:如果 user1 是管理员,如果输入了他的凭据,他将被重定向到管理页面,反之亦然以进行用户登录

这是我的 spring 安全配置代码:

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter 

    @Bean
    public UserDetailsService getUserDetailService() 
        return new UserDetailsServiceImpl();
    

    @Bean
    public BCryptPasswordEncoder passwordEncoder() 
        return new BCryptPasswordEncoder();
    

    @Bean
    public DaoAuthenticationProvider authenticationProvider() 
        DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
        daoAuthenticationProvider.setUserDetailsService(this.getUserDetailService());
        daoAuthenticationProvider.setPasswordEncoder(passwordEncoder());

        return daoAuthenticationProvider;
    

//  authentication - configure method

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception 
        auth.authenticationProvider(authenticationProvider());
    

    @Override
    protected void configure(HttpSecurity http) throws Exception 
        http.authorizeRequests().antMatchers("/show-menu-list-admin").hasRole("ADMIN")
                .antMatchers("/show-menu-list-customer").hasRole("USER").and().formLogin().and().csrf().disable();

【问题讨论】:

您好。到目前为止必须尝试什么来实施您的解决方案?尝试根据您的情况添加源代码或更多代码示例。 感谢您指出这一点,我已经成功实现了这个功能,下次我会确保添加更多代码示例 【参考方案1】:

您可以提供自定义AuthenticationSuccessHandlerAuthenticationSuccessHandler 告诉 Spring Security 在成功进行用户身份验证后该做什么。 默认实现通常使用SimpleUrlAuthenticationSuccessHandler,一旦用户成功通过身份验证,它将重定向到提供的 URL。

在您的自定义实现中,您可以根据用户的角色委托给不同的SimpleUrlAuthenticationSuccessHandler

public class CustomAuthenticationSuccessHandler implements AuthenticationSuccessHandler 
    SimpleUrlAuthenticationSuccessHandler userSuccessHandler =
            new SimpleUrlAuthenticationSuccessHandler("/user-page");
    SimpleUrlAuthenticationSuccessHandler adminSuccessHandler =
            new SimpleUrlAuthenticationSuccessHandler("/admin-page");

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
            Authentication authentication) throws IOException, ServletException 
        Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
        for (final GrantedAuthority grantedAuthority : authorities) 
            String authorityName = grantedAuthority.getAuthority();
            if (authorityName.equals("ROLE_ADMIN")) 
                // if the user is an ADMIN delegate to the adminSuccessHandler
                this.adminSuccessHandler.onAuthenticationSuccess(request, response, authentication);
                return;
            
        
        // if the user is not an admin delegate to the userSuccessHandler
        this.userSuccessHandler.onAuthenticationSuccess(request, response, authentication);

然后,在表单登录配置中提供CustomAuthenticationSuccessHandler

http
    .formLogin(formLogin -> formLogin
        .successHandler(new CustomAuthenticationSuccessHandler())
    );

【讨论】:

以上是关于使用 Spring Security 根据用户角色登录后重定向到不同的页面的主要内容,如果未能解决你的问题,请参考以下文章

Spring Security(Java Config)登录 - 根据用户角色返回不同的 URL

如何使用spring security根据角色限制对html页面的访问?

Spring-Security权限管理框架——根据角色权限登录

如何使用 Spring Security 在我的控制器中获取用户登录的角色

Grails 和 Spring Security 插件:基于角色登录时重定向用户

如何通过上下文更改 Spring Security 角色?