CAS服务器认证成功后,如何使Spring安全将用户重定向到原始请求的页面

Posted

技术标签:

【中文标题】CAS服务器认证成功后,如何使Spring安全将用户重定向到原始请求的页面【英文标题】:How to make Spring security to redirect user to the original requested page after successfully authenticated by the CAS server 【发布时间】:2020-04-25 04:33:50 【问题描述】:

我有一个 Spring Boot RESTFul Web 应用程序,它使用 CAS 服务器进行企业单点登录。如果未登录的用户尝试访问安全页面,则该用户将被重定向到 CAS 服务器进行身份验证。身份验证成功后,用户将被重定向到 Spring Boot RESTFul Web 应用程序的主页 - 而不是安全页面,用户尝试访问。我们如何直接将用户重定向到用户登录成功后想要访问的安全页面?

spring-security-cas-client用于实现CAS认证。实现 AuthenticationSuccessHandler 以将 UseReferer 设置为 true。 spring安全配置类如下:

package com.example.app

import java.util.Arrays;
import org.jasig.cas.client.session.SingleSignOutFilter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.cas.ServiceProperties;
import org.springframework.security.cas.authentication.CasAuthenticationProvider;
import org.springframework.security.cas.web.CasAuthenticationFilter;    
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
import org.springframework.security.web.authentication.logout.LogoutFilter;

@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter 

private AuthenticationProvider authenticationProvider;
private AuthenticationEntryPoint authenticationEntryPoint;
private SingleSignOutFilter singleSignOutFilter;
private LogoutFilter logoutFilter;

@Autowired
public SecurityConfig(CasAuthenticationProvider casAuthenticationProvider, 
AuthenticationEntryPoint 
eP,
                      LogoutFilter lF
                      , SingleSignOutFilter ssF
) 
    this.authenticationProvider = casAuthenticationProvider;
    this.authenticationEntryPoint = eP;

    this.logoutFilter = lF;
    this.singleSignOutFilter = ssF;



@Override
protected void configure(HttpSecurity http) throws Exception 
  http
    .authorizeRequests()
    .antMatchers("/api/**", "/path-1", "/path-2")
    .authenticated()
    .and()
    .authorizeRequests()
    .regexMatchers("/")
    .permitAll()
    .and()
    .httpBasic()
    .authenticationEntryPoint(authenticationEntryPoint)
    .and()
    .logout().logoutSuccessUrl("/logout")
    .and()
    .addFilterBefore(singleSignOutFilter, CasAuthenticationFilter.class)
    .addFilterBefore(logoutFilter, LogoutFilter.class);



@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception 
  auth.authenticationProvider(authenticationProvider);


@Override
protected AuthenticationManager authenticationManager() throws Exception 
  return new ProviderManager(Arrays.asList(authenticationProvider));


@Bean
public CasAuthenticationFilter casAuthenticationFilter(ServiceProperties sP) throws Exception 
  CasAuthenticationFilter filter = new CasAuthenticationFilter();
  filter.setServiceProperties(sP);
  filter.setAuthenticationManager(authenticationManager());
  return filter;


@Bean
public AuthenticationSuccessHandler successHandler() 
    SimpleUrlAuthenticationSuccessHandler handler = new SimpleUrlAuthenticationSuccessHandler();
    handler.setUseReferer(true);
    return handler;

【问题讨论】:

【参考方案1】:

使用SavedRequestAwareAuthenticationSuccessHandler 代替SimpleUrlAuthenticationSuccessHandler 可能会帮助您实现重定向。

@Bean
public AuthenticationSuccessHandler successHandler() 
    SavedRequestAwareAuthenticationSuccessHandler handler = new SavedRequestAwareAuthenticationSuccessHandler();
    handler.setTargetUrlParameter("redirectTo");
    handler.setDefaultTargetUrl("/");
    return handler;

【讨论】:

以上是关于CAS服务器认证成功后,如何使Spring安全将用户重定向到原始请求的页面的主要内容,如果未能解决你的问题,请参考以下文章

通过 Spring Security 和 CAS 登录后,如何在非安全 JSP 页面上显示登录用户详细信息?

无法使用 CAS 和 Spring 安全性登录到应用程序

Spring Security 集成 CAS(基于HTTP协议版本)

CAS 4 - 成功验证后无法检索 LDAP 组

认证后Spring安全重定向到静态资源

如何防止 JA-SIG CAS spring 安全重定向循环?