阻止重定向登录Spring Security

Question

阻止重定向登录Spring Security

Mir*_*ciu 15 java security redirect spring spring-mvc

我有Spring MVC + Spring Security项目.

<http auto-config="true" access-denied-page="/security/accessDenied" use-expressions="true" disable-url-rewriting="true">

... 
<intercept-url pattern="/dashboard/myaccount/**" access="hasAnyRole('ROLE_PERSON', 'ROLE_DEALER')"/>
...

<form-login login-page="/security/login" authentication-failure-url="/security/login?error=true"
                default-target-url="/security/success" username-parameter="email"
                password-parameter="secret"/>
<logout invalidate-session="true" logout-success-url="/index" logout-url="/security/logout"/>

Run Code Online (Sandbox Code Playgroud)

如果用户进入登录页面,如果成功将被重定向到"/ security/success",我在控制器中用会话对象做更多的东西(记录userID,...等)

我的问题是当一个GUEST用户进入/ dashboard/myaccount(需要AUTH)时,他被重定向到LOGIN页面(我不想要,我更喜欢抛出404).之后Spring Security没有重定向到/ security/success.而是重定向到/ dashboard/myaccount.

在GUEST尝试访问AUTH页面的情况下,我更愿意找到一种方法来完全禁用此重定向到登录页面.

有办法做到这一点吗？

TNX

Answer 1

Mir*_*ciu 13

我们添加一个新的authenticationEntryPoint:

<http auto-config="true" access-denied-page="/security/accessDenied" use-expressions="true"
      disable-url-rewriting="true" entry-point-ref="authenticationEntryPoint"/>

<beans:bean id="authenticationEntryPoint" class="a.b.c..AuthenticationEntryPoint">
    <beans:constructor-arg name="loginUrl" value="/security/login"/>
</beans:bean>

public class AuthenticationEntryPoint extends LoginUrlAuthenticationEntryPoint {    
    public AuthenticationEntryPoint(String loginUrl)  {
        super(loginUrl);
    }

    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
        response.sendError(403, "Forbidden");
    }
}

Run Code Online (Sandbox Code Playgroud)

无需创建自己的AuthenticationEntryPoint,请使用:org.springframework.security.web.authentication.Http403ForbiddenEntryPoint (4认同)

Answer 2

Mir*_*ciu 5

发现这个:always-use-default-target ="true"

我这样,我的控制器功能总是在任何登录后调用.

Answer 3

tch*_*dyk 5

在SpringSecurity 4中的带注释的配置中，您可以执行以下操作：

public class SecurityConfig extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
    // ....
    http.exceptionHandling().authenticationEntryPoint(new AuthenticationEntryPoint() {

        @Override
        public void commence(HttpServletRequest request, HttpServletResponse response,
                AuthenticationException authException) throws IOException, ServletException {
            if (authException != null) {
                response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
                response.getWriter().print("Unauthorizated....");
            }
        }
    });
    // ....
}

Run Code Online (Sandbox Code Playgroud)

}

归档时间：	12 年，8 月前
查看次数：	18301 次
最近记录：	10 年，6 月前