我有弹簧安全的网络应用程序。现在我正在尝试强制用户更改过期的密码。
我的安全配置
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserService service;
CustomAuthenticationHandler customAuthenticationHandler;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/s/**").permitAll()
.antMatchers("/changePassword").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.failureHandler(customAuthenticationHandler)
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.permitAll();
}
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth
.authenticationProvider(authProvider());
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/s/**");
}
// Beans
@Bean
CustomAuthenticationHandler authenticationHandler() {
return new CustomAuthenticationHandler();
}
@Bean
public PasswordEncoder encoder() {
return new BCryptPasswordEncoder(11);
}
@Bean
public DaoAuthenticationProvider authProvider() {
DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
authProvider.setUserDetailsService(new UserDetailServiceImpl(service));
authProvider.setPasswordEncoder(encoder());
return authProvider;
}
}
我的CustomAuthenticationHandler:
public class CustomAuthenticationHandler extends SimpleUrlAuthenticationFailureHandler implements AuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
// later do some logic here.. to handle CredentialsExpiredException
// for now all failure login should go to /changePassword
getRedirectStrategy().sendRedirect(request, response, "/changePassword");
}
}
我希望在登录失败后转到/ changePassword,但我仍然要/ login?错误。 你能用java配置建议这个任务的例子,或解释我做错了什么吗? 所有帮助表示赞赏
答案 0 :(得分:2)
我不知道这个解决方案有多好或多坏,但它对我有用
安全配置:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserService service;
CustomAuthenticationHandler customAuthenticationHandler;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/s/**").permitAll()
.antMatchers("/changePassword").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.failureHandler(customAuthenticationHandler)
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.permitAll();
}
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth
.authenticationProvider(authProvider());
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/s/**");
}
// Beans
@Bean
CustomAuthenticationHandler authenticationHandler() {
return new CustomAuthenticationHandler();
}
@Bean
public PasswordEncoder encoder() {
return new BCryptPasswordEncoder(11);
}
@Bean
public DaoAuthenticationProvider authProvider() {
DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
authProvider.setUserDetailsService(new UserDetailServiceImpl(service));
authProvider.setPasswordEncoder(encoder());
return authProvider;
}
}
我的CustomAuthenticationHandler:
@Component
public class CustomAuthenticationHandler extends SimpleUrlAuthenticationFailureHandler implements AuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
setUseForward(true);
saveException(request, exception);
if (exception.getClass().equals(CredentialsExpiredException.class)){
setDefaultFailureUrl("/changePassword");
} else {
setDefaultFailureUrl("/login?error");
}
super.onAuthenticationFailure(request, response, exception);
}
}