成功登录后 Spring 总是重新编辑到默认目标 URL

Posted

技术标签:

【中文标题】成功登录后 Spring 总是重新编辑到默认目标 URL【英文标题】:Spring is always rediting to default target URL after successful login 【发布时间】:2015-10-29 11:35:07 【问题描述】:

SpringFramework 安全性在我定义的成功登录后将我重定向到默认目标 URL(场景 1),但我用户将指定其他位置,结果证明需要登录 SpringFramework 也重定向到默认位置而不是位置由用户指定(场景 2)。

场景 1:

用户输入:http://pageAddress/ 用户被重定向到登录页面http://pageAddress/login.action 成功登录后重定向到默认位置:http://pageAddress/default.action

场景 2:

用户输入:http://pageAddress/someSpecificLocation.action 用户被重定向到登录页面http://pageAddress/login.action 成功登录后重定向到默认位置:http://pageAddress/default.action(错误!)

我一直使用UseDefaultTargetUrl=false。这还不够吗? 我使用自定义过滤器链而不是 http 标记,因为 Web 服务需要基本身份验证

SpringFramework 版本:3.0.5

安全配置:

<bean id="httpSessionContextIntegrationFilterWithASCFalse" class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
    <!--property name="allowSessionCreation" value="false" TODO no property like this exist any more - probably not needed /-->
</bean>

<bean id="httpSessionContextIntegrationFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter" />

<bean id="basicAuthenticationEntryPoint"
    class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
    <property name="realmName" value="Spring Security Application" />
</bean>

<bean id="basicAuthenticationFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
    <property name="authenticationEntryPoint" ref="basicAuthenticationEntryPoint" />
    <property name="authenticationManager" ref="authenticationManager" />
</bean>

<bean id="accessDeniedHandlerImpl" class="org.springframework.security.web.access.AccessDeniedHandlerImpl" />

<bean id="basicExceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter">
    <property name="authenticationEntryPoint" ref="basicAuthenticationEntryPoint" />
    <property name="accessDeniedHandler" ref="accessDeniedHandlerImpl" />
</bean>

<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
    <constructor-arg index="0" value="/" />
    <constructor-arg index="1">
        <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
    </constructor-arg>
</bean>

<bean id="formLoginFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager" />
    <!--property name="defaultTargetUrl" value="/login!login.action" / to be investigated ! -->
    <property name="authenticationFailureHandler" ref="customAuthenticationFailureHandler" />
    <property name="authenticationSuccessHandler" ref="customAuthenticationSuccessHandler" />
</bean>


<bean id="customAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
    <property name="defaultFailureUrl" value="/login.action?authenticationFailed=true" />
</bean>

<bean id="customAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
    <property name="defaultTargetUrl" value="/search.action" />
    <property name="alwaysUseDefaultTargetUrl" value="false" />
</bean>


<bean id="formLoginEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <property name="loginFormUrl" value="/login.action" />
</bean>

<bean id="securityContextHolderAwareRequestFilter" class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter" />

<bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter">
    <property name="authenticationEntryPoint" ref="formLoginEntryPoint" />
    <property name="accessDeniedHandler" ref="accessDeniedHandlerImpl" />
</bean>


<bean id="accessManager" class="org.springframework.security.access.vote.AffirmativeBased">
    <property name="decisionVoters">
        <list>
            <bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
            <bean class="org.springframework.security.access.vote.RoleVoter" />
        </list>
    </property>
</bean>

<bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="accessDecisionManager" ref="accessManager" />

    <property name="securityMetadataSource">
        <security:filter-security-metadata-source>
          <security:intercept-url pattern="/bsh*" access="ROLE_Bsh"/>
          <security:intercept-url pattern="/admin/**" access="ROLE_Administrators"/>
          <security:intercept-url pattern="/**" access="ROLE_Users,ROLE_Administrators"/>
        </security:filter-security-metadata-source>
      </property>

</bean>

<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
    <security:filter-chain-map path-type="ant">
        <security:filter-chain pattern="/c/**" filters="none" />
        <security:filter-chain pattern="/i/**" filters="none" />
        <security:filter-chain pattern="/j/**" filters="none" />
        <security:filter-chain pattern="/accessdenied.jsp" filters="none" />
        <security:filter-chain pattern="/login.action*" filters="none" />
        <security:filter-chain pattern="/services/**"
            filters="httpSessionContextIntegrationFilterWithASCFalse,logoutFilter,
                   basicAuthenticationFilter,basicExceptionTranslationFilter,
                   filterSecurityInterceptor" />
        <security:filter-chain pattern="/**"
            filters="httpSessionContextIntegrationFilter,logoutFilter,formLoginFilter,
                     securityContextHolderAwareRequestFilter,
                     exceptionTranslationFilter,
                     filterSecurityInterceptor" />
    </security:filter-chain-map>
</bean>

【问题讨论】:

我认为你需要 default-target-url 为真... 【参考方案1】:

知道了!我不得不用 SavedRequestAwareAuthenticationSuccessHandler 替换 SimpleUrlAuthenticationSuccessHandler

【讨论】:

【参考方案2】:

认证成功时URL错误的解决方法:

查找用户“Mircea Stanciu”的响应 Spring security not hitting default-target-url after successful authtication 它说您必须创建一个重写 Spring Security 的 LoginSuccessHandler 类 的类,并 在 application-security.xml 中创建一个 bean 到该类

在你的application-security.xml中,你必须在标签里面放这个:

authentication-success-handler-ref="loginSuccessHandler"

【讨论】:

以上是关于成功登录后 Spring 总是重新编辑到默认目标 URL的主要内容,如果未能解决你的问题,请参考以下文章

登录后spring security重定向不正确

使用 Spring MVC 成功登录后,我仍然可以返回登录页面

Spring Security教程(10)---- 自定义登录成功后的处理程序及修改默认验证地址

Grails Spring Security - 登录后总是重定向到特定页面?

Spring Security6登录用户退出登录操作

织梦怎么取消后台登录的验证码