1. 首页
  2. 问答
  3. 春季安全:重定向URL擅自

春季安全:重定向URL擅自

2015-10-08 144 views
0 
@PreAuthorize("hasPermission(#id,'Integer','write')") 
    @RequestMapping(value="events/{id}/edit",method=RequestMethod.GET) 
    public String edit(Model model,@PathVariable("id") int id) { 
     model.addAttribute("event", eventService.getEvent(id)); 
     return "events/edit"; 
    }

安全配置春季安全:重定向URL擅自

public class SecurityConfig extends WebSecurityConfigurerAdapter{ 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     http 
      .authorizeRequests() 
       .antMatchers(HttpMethod.GET, "/", "/index", "/register", "/regitrationConfirm", "/forgotPassword", "/accountRecovery", "/passwordReset", "/public/**").permitAll() 
       .antMatchers(HttpMethod.POST, "/register", "/accountRecovery","/passwordReset").permitAll() 
       .anyRequest().authenticated() 
       .and() 
      .formLogin() 
       .loginPage("/login") 
       .loginPage("/login?error") 
       .permitAll() 
       .failureHandler(authFailureHandler) 
       .and() 
      .rememberMe() 
       .tokenValiditySeconds(3600) 
       .key("rememberTracker") 
       .and() 
      .logout() 
       .permitAll() 
       .logoutUrl("/logout") 
       .logoutSuccessUrl("/") 
       .and() 
      .sessionManagement() 
       .maximumSessions(1) 
       .expiredUrl("/login?expired"); 

    } 
}

我想重定向或显示自定义页面的用户如果认证失败。有没有办法呢?

更新与春季安全代码。

感谢

来源

2015-10-08 Lokesh Cherukuri

+0

快,让你的春季安全配置 – AlbertoRuvel

回答

4

我更新你SecurityConfig添加failureUrlsuccessHandler

public class SecurityConfig extends WebSecurityConfigurerAdapter{ 
@Override 
protected void configure(HttpSecurity http) throws Exception { 
    http 
     .authorizeRequests() 
      .antMatchers(HttpMethod.GET, "/", "/index", "/register", "/regitrationConfirm", "/forgotPassword", "/accountRecovery", "/passwordReset", "/public/**").permitAll() 
      .antMatchers(HttpMethod.POST, "/register", "/accountRecovery","/passwordReset").permitAll() 
      .anyRequest().authenticated() 
      .and() 
     .formLogin() 
      .loginPage("/login") 
      .loginPage("/login?error") 
      .permitAll() 
      .failureUrl("/your-unsuccessful-authentication-url-here") 
      .successHandler(yourSuccesshandler) //create your success handler to redirect the user to different places depending on his role 
      //.failureHandler(authFailureHandler) I deleted this line, we just need a redirect 
      .and() 
     .rememberMe() 
      .tokenValiditySeconds(3600) 
      .key("rememberTracker") 
      .and() 
     .logout() 
      .permitAll() 
      .logoutUrl("/logout") 
      .logoutSuccessUrl("/") 
      .and() 
     .sessionManagement() 
      .maximumSessions(1) 
      .expiredUrl("/login?expired"); 

    } 
}

成功处理程序

public class SuccessAuthenticationHandler implements AuthenticationSuccessHandler{ 
public SuccessAuthenticationHandler(){ 

} 

@Override 
public void onAuthenticationSuccess(HttpServletRequest request, 
     HttpServletResponse response, Authentication auth) throws  IOException, ServletException { 
    HttpSession session = request.getSession(); 
    User user = (User)SecurityContextHolder.getContext().getAuthentication().getPrincipal(); 
    String redirect = ""; 
    if(user != null){ 
     session.setAttribute("username", user.getUsername()); 
     if(user.getAuthorities().contains(new SimpleGrantedAuthority("ROLE_ADMIN")) 
       || user.getAuthorities().contains(new SimpleGrantedAuthority("ROLE_SUPER_ADMIN"))) 
      redirect = "admin/"; 
     else if(user.getAuthorities().contains(new SimpleGrantedAuthority("ROLE_YOUR_ROLE"))) 
      redirect = "yourrole/"; 
    } 
    if(redirect.isEmpty()) 
     redirect = "signin"; 

    response.sendRedirect(redirect); 
} 

}

来源

2015-10-08 01:36:25 AlbertoRuvel

+0

广东话我指定基于授权异常的用户重定向。例如拒绝访问异常 –

+1

您可以简单地使用您的AuthenticationFailureHandler,** onAuthenticationFailure **具有AuthenticationException有一个参数 – AlbertoRuvel

+0

好吧,我应该检查发生的异常的类型,并采取相应的行动。我有一个扩展SimpleUrlAuthenticationFailureHandler的类。我想我可以在那里做到这一点 –

相关问题

 相关问题