登录后重定向到登录页面

Posted 2023-02-27

【中文标题】登录后重定向到登录页面

【英文标题】：Redirect to login page after login

【发布时间】：2015-12-04 04:43:21

【问题描述】：

我在 Spring 中有一个使用 Spring Security 的 Web 应用程序。部署成功后登录页面来了。登录后再次重定向到登录页面。

这是我的 securityContext.xml

<!-- enable method-level security via annotation -->
<sec:global-method-security secured-annotations="enabled" jsr250-annotations="disabled"/>

<!-- secure the web layer -->

<sec:http pattern="/login.jsp" security="none" />
<sec:http pattern="/js/**" security="none" />
<sec:http pattern="/scripts/**" security="none" />
<sec:http pattern="/favicon.ico" security="none" />
<sec:http pattern="/styles/**" security="none" />
<sec:http pattern="/images/**" security="none" />
<sec:http pattern="/qlogin.jsp" security="none" />
<sec:http pattern="/qloginWait/**" security="none" />
<sec:http pattern="/contract/ServiceContractPDFView.jsp" security="none" />
<sec:http pattern="/admin/unsubscribe_sbpqm_newsletter.jsp" security="none" />
<sec:http pattern="/admin/subscription_thankyou.jsp" security="none" />
<sec:http pattern="/admin/related_analysts.jsp" security="none" />

    <sec:http entry-point-ref="myAuthenticationEntryPoint" use-expressions="true"> 
        <sec:session-management session-fixation-protection="newSession">
        </sec:session-management>
        <sec:csrf disabled="true"/>
        <sec:custom-filter position="FORM_LOGIN_FILTER" ref="customizedFormLoginFilter"/>
        <sec:custom-filter after="FORM_LOGIN_FILTER" ref="rememberMeProcessingFilter"/> 
        <sec:custom-filter after="REMEMBER_ME_FILTER" ref="logoutFilter"/>
        <sec:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
        <sec:anonymous username="anonymousUser" granted-authority="ROLE_ANONYMOUS"/>
        <!-- <sec:custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="singleSignOnFilter"/> -->
</sec:http>

<!--name of my authenticationManager is authenticationManager-->
<sec:authentication-manager alias="authenticationManager">
    <sec:authentication-provider user-service-ref="myUserDetailsService" />
</sec:authentication-manager>

<bean id="customizedFormLoginFilter" class="com.prop.test.security.CustomAuthenticationProcessingFilter" >
    <!--Here it is the custom authenticationManager, login magic goes here -->
    <property name="authenticationManager" ref="myAuthenticationManager"/> 
    <property name="rememberMeServices" ref="rememberMeServices" /> 
    <property name="allowSessionCreation" value="true" />
    <property name="authenticationFailureHandler" ref="failureHandler"/>
    <property name="authenticationSuccessHandler" ref="successHandler"/>
</bean>

<bean id="myAuthenticationManager" class="com.prop.test.security.CustomAuthenticationManager" />

<bean id="loggerListener" class="org.springframework.security.access.event.LoggerListener"/>

<!--My authentication entry point, can be replaced easily if we are doing custom commence of invalid auths.-->
<bean id="myAuthenticationEntryPoint"
class="com.prop.test.security.CustomAuthenticationEntryPoint" >
    <constructor-arg value="/j_spring_security_check"/>
</bean>

<bean id="successHandler" class="com.prop.test.security.CustomSavedRequestAwareAuthenticationSuccessHandler">
    <property name="defaultTargetUrl" value="/indexCustomer.jsp"/>
</bean>

<bean id="failureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
    <property name="defaultFailureUrl" value="/login.jsp?login_error=1"/>
</bean>
<!-- Override RememberMeProcessingFilter to allow application of other business logic (update login count when user returns to the site --> 

<bean id="rememberMeProcessingFilter" class="com.prop.test.security.CustomRememberMeProcessingFilter"> 
    <constructor-arg ref="authenticationManager"/>
    <constructor-arg ref="rememberMeServices"/>
</bean> 

<bean id="signleSignOnService" class="com.prop.sage.sso.dynamo.SsoDbStorage">
</bean>
<bean id="singleSignOnFilter"
      class="com.prop.test.spring.SingleSignOnFilter">
    <property name="signleSignOnService" ref="signleSignOnService"/>
    <!--<property name="authenticationProviderFacade" ref="authenticationProviderFacade"/>-->
    <property name="userService" ref="propUserServiceImpl"/>
    <property name="ssoUserUrl">
        <value>/sso</value>
    </property>
    <!-- Code Review Starts -->
    <property name="ssoTargetUrl">
        <value>/search/ServiceContractSearch.do</value>
    </property>
    <!-- Code Review Ends -->
    <property name="ssoFailureUrl">
        <value>/login.jsp</value>
    </property>
    <property name="order" value="123456"/>
</bean>


<!-- Remember me Authentication Defines which remember me implementation to use - in this case using a database table to log 'remembered' tokens --> 

<bean id="myUserDetailsService" class="com.prop.test.security.CustomUserDetailsService" > </bean>

<bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
    <constructor-arg value="springRocks"/>
    <constructor-arg ref="myUserDetailsService"/>
    <constructor-arg ref="jdbcTokenRepository"/>
</bean>


<!-- Uses a database table to maintain a set of persistent login data --> 

<bean id="jdbcTokenRepository" class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl"> 
    <property name="createTableOnStartup" value="false" /> 
    <property name="dataSource" ref="dataSource" /> 
</bean> 

<bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider"> 
    <constructor-arg value="springRocks"/> 
</bean>

<bean id="securityContextLogoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" >
    <property name="invalidateHttpSession" value="true" />
</bean> 

<bean id="mySecurityContextHandler" class="com.prop.test.security.CustomSecurityContextLogoutHandler"/>  

<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter"> 
    <constructor-arg value="/login.jsp" /> 
     <constructor-arg> 
        <list>
            <ref bean="mySecurityContextHandler" /> 
            <ref bean="rememberMeServices" /> 
            <ref bean="securityContextLogoutHandler" />
        </list>
    </constructor-arg>
</bean>

<bean id="authenticationLoggerListener" class="org.springframework.security.access.event.LoggerListener"/>

<bean id="_sessionFixationProtectionFilter" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy"> 
    <property name="migrateSessionAttributes" value="true" />
</bean>

在记录器文件中登录 -

org.springframework.security.access.event.LoggerListener - 安全授权失败，原因是：org.springframework.security.access.AccessDeniedException：访问被拒绝；经过身份验证的主体：org.springframework.security.authentication.AnonymousAuthenticationToken@90579aae：主体：anonymousUser；凭证：[受保护]；已认证：真实；详细信息：org.springframework.security.web.authentication.WebAuthenticationDetails@2eb76：RemoteIpAddress：127.0.0.1；会话ID：6C81F0D37667C08742208FC0B8BA3E86；授予权限：ROLE_ANONYMOUS；安全对象：FilterInvocation：URL：/j_spring_security_check；配置属性：[hasRole('ROLE_USER')]

【参考方案1】：

根据您的配置，只有 ROLE_USER 可以访问所有页面 /**

您尝试以匿名用户身份登录，其授予权限为 ROLE_ANONYMOUS

因此，您无法继续使用 anonymousUser 并且访问被拒绝。 所以如果你希望你可以允许匿名用户访问 access="hasAnyRole(ROLE_USER,ROLE_ANONYMOUS)"

  <sec:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
        <sec:anonymous username="anonymousUser" granted-authority="ROLE_ANONYMOUS"/>

【讨论】：

不，我不想以匿名用户身份登录。我不知道为什么它会破坏匿名角色。

但是你的日志说它正在使用anonymousUser用户，尝试删除它并测试

同时清除浏览器 cookie 以清除 JSESSIONID ，可能是您之前以匿名用户身份登录

如果我改变了 grant-authority="ROLE_USER" 那么 j_spring_security_check 404 来了。

问题已修复。 Anudeep 您的解决方案对我不起作用，但感谢您的回复:)