将authentication-failure-url定义为`{currentpage}？login_error = 1`？

Question

我正在使用Spring MVC,Spring安全性和Apache tile.
我有登录div出现在每个页面中(如果用户尚未进行身份验证).
这是配置:

<http use-expressions="true">
    <intercept-url pattern="/index.jsp" access="permitAll" />
    <intercept-url pattern="/registration.html" access="permitAll" />
    <intercept-url pattern="/about.html" access="permitAll" />
    <intercept-url pattern="/search.html" access="permitAll" />
    <intercept-url pattern="/login.html" access="permitAll" />
    <intercept-url pattern="/logout.html" access="permitAll" />
    <intercept-url pattern="/post.html" access="hasAnyRole('USER')" />
    <intercept-url pattern="/**" access="denyAll" />
    <form-login default-target-url='/search.html'
                authentication-failure-url="/login.html?login_error=1" />
    <logout logout-success-url="/logout.html" />
</http>   

问题是:假设用户输入search.html并输入无效的登录详细信息.但随后用户重定向到/login.html?login_error=1而不是重定向到search.html?login_error=1.如何定义authentication-failure-url {currentpage}?login_error=1？

Answer 1

您需要自定义SimpleUrlAuthenticationFailureHandler一点,例如通过新的RedirectStrategy.

在开始之前:您应该查看这些类的来源以了解它们的作用:

• UsernamePasswordAuthenticationFilter和它的超类AbstractAuthenticationProcessingFilter- 这是触发身份验证的过滤器
• SimpleUrlAuthenticationFailureHandler - 如果需要身份验证,则负责执行某些操作(由SimpleUrlAuthenticationFailureHandler调用).
• DefaultRedirectStrategy- 用于SimpleUrlAuthenticationFailureHandler执行redirct.
• FormLoginBeanDefinitionParser- 解析XML security:form-login元素 - 您应该阅读它以了解bean的创建和引用方式!

你应该自己编写RedirectStrategy,让我们调用它MyAppendParameterRedirectStrategy(可能先看一下DefaultRedirectStrategy).它只需要一种方法:void sendRedirect(HttpServletRequest request, HttpServletResponse response, String url).至少你应该这样做DefaultRedirectStrategy但不是返回(登录)网址,calculateRedirectUrl你应该计算网址stripParams(getRequestURL()) + "?login_error=1"

import java.io.IOException;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.lang.StringUtils;
import org.springframework.security.web.RedirectStrategy;

public class MyAppendParameterRedirectStrategy implements RedirectStrategy {

    @Override
    public void sendRedirect(final HttpServletRequest request, final HttpServletResponse response, final String url) throws IOException {
        String redirectUrl = calculateRedirectUrl(request.getRequestURL().toString());
        redirectUrl = response.encodeRedirectURL(redirectUrl);
        response.sendRedirect(redirectUrl);
    }

    private String calculateRedirectUrl(final String requestUrl) {
        //Attention this parameter striping is only proof of concept!
        return StringUtils.substringBeforeLast(requestUrl, "?") + "?login_error=1";
    }
}

第二部分是你需要更改弹簧配置(因此你应该阅读我提到的类)我认为配置应该是这样的(但我没有测试过):

<security:form-login login-processing-url="/login/j_spring_security_check" login-page="/login" authentication-failure-handler-ref="simpleUrlAuthenticationFailureHandler"/>

<bean id="SimpleUrlAuthenticationFailureHandler"
      class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
   <property="defaultFailureUrl" value="NotNullButWeDoNotUseIt" />
   <property="redirectStrategy">
      <bean class="MyAppendParameterRedirectStrategy"/>
   </property>
</bean>