Mak*_*sim 11 java session spring-security spring-boot spring-security-oauth2
用户登录Spring Security后,我正在尝试实现一个需要操作的屏幕?我有一个要求,用户必须执行以完成表单(更改密码,接受使用条款等),然后一旦用户完成该操作,他就可以使用应用程序的其余部分.我正在使用Spring OAuth2和使用Spring Security流程的登录屏幕.
到目前为止,我已经尝试使用http.formLogin().successHandler()自定义实现SavedRequestAwareAuthenticationSuccessHandler,它会检测用户是否需要执行操作,然后在用户填写表单时将用户重定向到页面,但问题是如果用户导航离开该页面,他将登录到应用程序并可以在不跳过表单的情况下使用它.但我要做的是阻止用户建立会话,直到完成Action Action表单之后.一旦完成,用户应自动登录(例如,如果用户需要同意使用条款,则应该在不输入密码的情况下登录)
这是我到目前为止自定义处理程序的代码:
public class CustomLoginSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
@Autowired
UserService userService;
public final static String TARGET_URL_SESSION_ATTR_NAME = "target-url";
public CustomLoginSuccessHandler(String defaultTargetUrl) {
setDefaultTargetUrl(defaultTargetUrl);
}
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws ServletException, IOException {
HttpSession session = request.getSession();
AuthorityUser authorityUser = (AuthorityUser)authentication.getPrincipal();
String userId = authorityUser.getUserId();
User u = userService.getById(userId);
Boolean changeRequiredDob = u.getChangeRequiredDob();
Boolean changeRequiredPwd = u.getChangeRequiredPwd();
Boolean changeRequiredTou = u.getChangeRequiredTou();
if(changeRequiredDob || changeRequiredPwd || changeRequiredTou){
String targetUrl = determineTargetUrl(request, response);
session.setAttribute(TARGET_URL_SESSION_ATTR_NAME, targetUrl);
getRedirectStrategy().sendRedirect(request, response, "/action-required");
} else {
super.onAuthenticationSuccess(request, response, authentication);
}
}
}
然后,一旦成功完成,我将用户重定向到TARGET_URL_SESSION_ATTR_NAME存储到会话中的用户.
知道如何在建立的会话期间检测用户并将用户重定向到需要操作的屏幕(如果用户登录以及稍后他登录管理员设置操作所需的标记在他的帐户上)也是有帮助的.
https://github.com/king-julien/spring-oauth2-customfilter这是一个带有授权和资源服务器的工作示例。此资源服务器(普通)是一个基本的无状态应用程序,除非您在身份验证后接受服务条款(要接受 TOS,只需在 /tos 端点上执行 POST),否则不会继续进行任何操作。
@Component
public class TosFilter extends OncePerRequestFilter{
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
System.out.println(request.getRequestURI());
// In realworld scenario HelloWorldController.acceptedTOS is a persisted value rather than a static variable
if(!HelloWorldController.acceptedTOS){
//response.sendRedirect("/no-tos");
request.getRequestDispatcher("error-no-tos").forward(request, response);
}
filterChain.doFilter(request,response);
}
}
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
TosFilter rolesFilter;
@Override
public void configure(HttpSecurity httpSecurity) throws Exception{
httpSecurity
.addFilterAfter(rolesFilter, AbstractPreAuthenticatedProcessingFilter.class)
.csrf().disable()
.authorizeRequests().anyRequest().permitAll();
}
}
@SpringBootApplication
@EnableResourceServer
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
| 归档时间: |
|
| 查看次数: |
1688 次 |
| 最近记录: |