My Sring应用程序具有以下Spring Security配置:
@Configuration
@ComponentScan(value="org.webapp")
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private DataSource restDataSource;
@Autowired
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.jdbcAuthentication()
.dataSource(restDataSource)
.usersByUsernameQuery(getUserQuery())
.authoritiesByUsernameQuery(getAuthoritiesQuery());
}
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
.authorizeRequests()
.antMatchers("/css/**", "/fonts/**", "/image/**", "/js/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/spring/index").permitAll()
.loginProcessingUrl("/spring/login").permitAll()
.usernameParameter("login")
.passwordParameter("senha")
.successHandler(new CustomAuthenticationSuccessHandler())
.failureHandler(new CustomAuthenticationFailureHandler())
.and()
.logout()
.logoutUrl("/spring/logout")
.logoutSuccessUrl("/spring/index").permitAll();
}
private String getUserQuery() {
return "SELECT login as username, senha as password "
+ "FROM usuario "
+ "WHERE login = ?";
}
private String getAuthoritiesQuery() {
return "SELECT DISTINCT usuario.login as username, autorizacao.descricao as authority "
+ "FROM usuario, autorizacao_usuario, autorizacao "
+ "WHERE usuario.id = autorizacao_usuario.fk_usuario "
+ "AND autorizacao.id = autorizacao_usuario.fk_autorizacao "
+ "AND usuario.login = ? ";
}
}
但我有一个问题:在我通知登录证书后,系统返回登录页面而不是目标页面(/ spring / home)。我查看了堆栈跟踪,没有显示错误。
有人可以看出出了什么问题?
更新
CustomAuthenticationSuccessHandler
public class CustomAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication auth) throws IOException, ServletException {
System.out.println("CustomAuthenticationSuccessHandler");
HttpSession session = request.getSession();
SavedRequest savedReq = (SavedRequest) session.getAttribute(WebAttributes.ACCESS_DENIED_403);
if (savedReq == null) {
response.sendRedirect(request.getContextPath() + "/spring/home");
}
else {
response.sendRedirect(savedReq.getRedirectUrl());
}
}
}
CustomAuthenticationFailureHandler
public class CustomAuthenticationFailureHandler implements AuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException auth) throws IOException, ServletException {
System.out.println("CustomAuthenticationFailureHandler");
response.sendRedirect(request.getContextPath() + "/spring/erro-login");
}
}
更新2
项目的完整源代码可以在这里看到:https://github.com/klebermo/webapp1
答案 0 :(得分:1)
您似乎错过了在.defaultSuccessUrl("/spring/home")配置中添加formLogin。
此外,如果我是,您总是会添加.failureUrl("/login?login_error=1"),以确保登录时发生登录或发生故障。
答案 1 :(得分:0)
问题是(或可能是)目标错误页面未列为“全部允许”URL:
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException auth) throws IOException, ServletException {
System.out.println("CustomAuthenticationFailureHandler");
response.sendRedirect(request.getContextPath() + "/spring/erro-login");
}
在身份验证失败时,您将重定向到"/spring/erro-login" - 但是,这不会列在您的安全蚂蚁匹配器中,因此此URL会被捕获:
.anyRequest().authenticated()
由于未经过身份验证,因此您无法访问该网址,因此Spring会将您重定向到登录页面。
尝试更新至:
.authorizeRequests()
.antMatchers("/spring/erro-login").permitAll()
.antMatchers("/css/**", "/fonts/**", "/image/**", "/js/**").permitAll()
.anyRequest().authenticated()