Spring Security 4 - CredentialsExpiredException不重定向到重置密码 - XML配置

Question

我正在使用Spring-Security 4 XML配置在spring-mvc webapp中成功实现密码身份验证。

我遇到的问题是，当DaoAuthenticationProvider引发CredentialsExpiredException时，系统将重定向到登录窗体而不是重置密码。

我上下文的安全XML配置如下：

<?xml version="1.0" encoding="UTF-8"?> 
<b:beans xmlns="http://www.springframework.org/schema/security" 
xmlns:b="http://www.springframework.org/schema/beans" 
xmlns:p="http://www.springframework.org/schema/p" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="http://www.springframework.org/schema/beans  http://www.springframework.org/schema/beans/spring-beans.xsd 
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> 

<b:bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> 
    <b:constructor-arg value="/index/form" /> 
</b:bean> 

<http auto-config="true" use-expressions="true" disable-url-rewriting="true" entry-point-ref="authenticationEntryPoint" > 
    <intercept-url pattern="/" access="permitAll" requires-channel="https"/> 
    <intercept-url pattern="/index" access="permitAll" requires-channel="https"/> 
    <intercept-url pattern="/index/*" access="permitAll" requires-channel="https"/> 
    <intercept-url pattern="/**" access="hasAnyRole('USER','SYS_ADMIN')" requires-channel="https"/> 
    <form-login 
      login-page="/index/form" 
       default-target-url="/dashboard" 
       login-processing-url="/index" 
       username-parameter="username" 
       password-parameter="password" 
       authentication-failure-handler-ref="exceptionTranslationFilter" 
       always-use-default-target="true"/> 
    <logout logout-url="/logout" logout-success-url="/index/logout"/> 

    <session-management> 
     <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" /> 
    </session-management> 
</http> 

<!-- password expiry functionality starts --> 
<b:bean id="exceptionTranslationFilter" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler"> 
    <b:property name="exceptionMappings"> 
     <b:props> 
      <b:prop key="org.springframework.security.authentication.CredentialsExpiredException">/resetpassword</b:prop> 
     </b:props> 
    </b:property> 
    <b:property name="defaultFailureUrl" value="/index/error"/> 
</b:bean> 


<b:bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager"> 
    <b:constructor-arg name="providers"> 
     <b:list> 
      <b:ref bean="daoAuthenticationProvider"/> 
     </b:list> 
    </b:constructor-arg> 
</b:bean> 

<b:bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider "> 
    <b:property name="userDetailsService" ref="customUserDetailsService" /> 
    <b:property name="passwordEncoder" ref="passwordEncoder" /> 
</b:bean> 



<authentication-manager alias="authenticationManager"> 
    <authentication-provider user-service-ref="customUserDetailsService" /> 
    <authentication-provider ref="daoAuthenticationProvider" /> 
</authentication-manager> 


<b:bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" > 
</b:bean> 

给出上述构造，当我输入正确的用户名和用户，其证书已过期的密码，我重定向到URL =“/指数/形式”

我已经跑了调试器（我使用Eclipse），并且代码执行如下（所有类都属于春季安全4）：

AbstractUserDetailsAuthenticationProvider.authenticate（）在执行postAuthenticationChecks.check（user）时抛出CredentialsExpiredException;

ExceptionMappingAuthenticationFailureHandler.onAuthenticationFailure（）获取URL为/resetpassword主叫getRedirectStrategy（）的sendRedirect（请求，响应URL）之前。

DefaultRedirectStrategy.sendRedirect（）获取重定向URL是 “/ MyApp的/ resetpassword”

上LoginUrlAuthenticationEntryPoint.commence（HttpServletRequest的请求，响应HttpServletResponse的，的AuthenticationException authException）将出现问题。因为useForward设置为false，所以它会调用redirectUrl = buildRedirectUrlToLoginPage（request，response，authException）;否则，调用redirectUrl = buildRedirectUrlToLoginPage。

redirectUrl最终成为“/ index/form”。

即使我为了覆盖determineUrlToUseForThisRequest我得到的AuthenticationException是型InsufficientAuthenticationException的设置useForward真和子类LoginUrlAuthenticationEntryPoint。

有趣的是，我浏览器上的网址是https://localhost:8443/myapp/resetpassword，但它显示的是登录表单。

你以前遇到过这个问题吗？如果是这样，你是如何得到春季重定向重置密码？

大多数我从https://stackoverflow.com/a/14383194/158499

感谢事先获得的配置，卢卡斯

Answer 1

<intercept-url pattern="/**" access="hasAnyRole('USER','SYS_ADMIN')" requires-channel="https"/> 

时重定向到/resetpassword将重定向到登录页面。请允许此网址无需身份验证即可访问。

<intercept-url pattern="/resetpassword" access="permitAll" requires-channel="https"/>