Spring Security自定义身份验证失败处理程序重定向参数

Question

我有一个问题与Spring Security身份验证失败处理程序重定向参数.

在我使用的安全配置中

failureUrl("/login.html?error=true")

有用.但是当我使用自定义身份验证失败处理程序(如下所示)时,它总是返回:url/login.html

getRedirectStrategy().sendRedirect(request, response, "/login.html?error=true");

要么

response.sendRedirect(request.getContextPath() + "/login.html?error=true");

我不知道什么是错的.为什么不显示参数?error=true？

信息:我使用的是Spring + JSF + Hibernate + Spring Security

@Override
protected void configure(HttpSecurity http) throws Exception {

    http
        .authorizeRequests()
            .anyRequest().authenticated()
            .and()
        .formLogin()
            .loginPage("/login.html")
            .usernameParameter("j_username")
            .passwordParameter("j_password")
            .loginProcessingUrl("/j_spring_security_check")
            .failureHandler(customAuthenticationFailureHandler)// .failureUrl("/login.html?error=true")//.successHandler(authSuccsessHandler)
            .defaultSuccessUrl("/dashboard.html")
            .permitAll()
            .and()
        .logout()
            .invalidateHttpSession(true)
            .logoutSuccessUrl("/")
            .permitAll()
            .and()
        .exceptionHandling()
            .accessDeniedPage("/access.html")
            .and()
        .headers()
            .defaultsDisabled()
            .frameOptions()
            .sameOrigin()
            .cacheControl();

    http
        .csrf().disable();
}

这是自定义身份验证失败处理程

@Component
public class CustomAuthFailureHandler extends SimpleUrlAuthenticationFailureHandler {

    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
            AuthenticationException exception) throws IOException, ServletException {
        getRedirectStrategy().sendRedirect(request, response, "/login.html?error=true");

    }
}

我会为某些情况更改参数.

Answer 1

您不允许匿名访问URL /login.html?error=true,因此您将被重定向到登录页面(/login.html).

AbstractAuthenticationFilterConfigurer#permitAll 允许访问(对任何人)失败URL但不允许访问自定义失败处理程序:

确保网址failureUrl(String)以及和HttpSecurityBuilder,getLoginPage()以及getLoginProcessingUrl()被授予对任何用户的访问权限.

您必须明确允许访问AbstractRequestMatcherRegistry#antMatchers:

映射AntPathRequestMatcher不关心HttpMethod使用的实例列表.

并且ExpressionUrlAuthorizationConfigurer.AuthorizedUrl#permitAll:

指定任何人都允许使用这些URL.

您不必允许确切的URL /login.html?error=true,因为AntPathRequestMatcher忽略查询字符串:

Matcher将预定义的蚂蚁风格模式与网址(servletPath+ pathInfo)进行比较HttpServletRequest.将忽略URL的查询字符串,并且匹配不区分大小写或区分大小写,具体取决于传递给构造函数的参数.

您修改的配置:

@Override
protected void configure(HttpSecurity http) throws Exception {

    http
        .authorizeRequests()
            .antMatchers("/login.html").permitAll()
            .anyRequest().authenticated()
            .and()
        .formLogin()
            .loginPage("/login.html")
            .usernameParameter("j_username")
            .passwordParameter("j_password")
            .loginProcessingUrl("/j_spring_security_check")
            .failureHandler(customAuthenticationFailureHandler)// .failureUrl("/login.html?error=true")//.successHandler(authSuccsessHandler)
            .defaultSuccessUrl("/dashboard.html")
            .permitAll()
            .and()
        .logout()
            .invalidateHttpSession(true)
            .logoutSuccessUrl("/")
            .permitAll()
            .and()
        .exceptionHandling()
            .accessDeniedPage("/access.html")
            .and()
        .headers()
            .defaultsDisabled()
            .frameOptions()
            .sameOrigin()
            .cacheControl();

    http
        .csrf().disable();
}