3

我有一个使用 JSF 的 Web 应用程序,并且 Spring 安全性用于登录和授权。

例如,当用户在特定页面中键入并且他没有登录时,localhost:8080/APP/page.xhtml应用程序会重定向到登录页面,这是可以的。之后,用户登录,但他被重定向到的页面是index.xhtml默认欢迎页面,而不是page.xhtml.

我想要以下行为:用户转到localhost:8080/APP/page.xhtml,他被重定向到登录,之后他应该被重定向到他想要的页面 - page.xhtml

编辑- spring-security.xml的片段:

 <security:http auto-config="true">
    <security:intercept-url pattern="/javax.faces.resource/*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <security:intercept-url pattern="/login.xhtml" access="IS_AUTHENTICATED_ANONYMOUSLY"/>

    <security:intercept-url pattern="/**" access="ROLE_UNALLOCATED, ROLE_MANAGER"/>
    <security:intercept-url pattern="/pages/management/" access="ROLE_MANAGER"/>
    <security:intercept-url pattern="/pages/requests/" access="ROLE_UNALLOCATED, ROLE_EMPLOYEE, ROLE_TEAM_LEADER, ROLE_MANAGER"/>

    <security:form-login login-page="/login.xhtml" 
                          />
    <security:logout logout-url="/j_spring_security_logout"
            logout-success-url="/login.xhtml"
            invalidate-session="true"/>
</security:http>

有任何想法吗?谢谢

编辑:

我以为是因为:

 <!-- Welcome page -->
<welcome-file-list>
    <welcome-file>/index.xhtml</welcome-file>
</welcome-file-list>

来自 web.xml。我删除了它,但结果相同。

后期编辑:

我刚刚注意到我的自定义 loginController 中有一行,之后if (authenticationResponseToken.isAuthenticated())几乎可以肯定是问题的根源:

登录控制器:

@ManagedBean(name = "loginController")
@SessionScoped
@Controller
public class LoginController implements Serializable {
private static final long serialVersionUID = 1L;

@Autowired
IUserService userService;

@Autowired
@Qualifier("authenticationManager")
protected AuthenticationManager authenticationManager;

// save the current user after login to be able to inject it in other places
// as needed
private User currentUser;

/**
 * This action logs the user in and returns to the secure area.
 * 
 * @return String path to secure area
 */
public String loginUsingSpringAuthenticationManager() {
    // get backing bean for simple redirect form
    LoginFormBackingBean loginFormBean = (LoginFormBackingBean) FacesUtils
            .getBackingBean("loginFormBean");

    // simple token holder
    Authentication authenticationRequestToken = createAuthenticationToken(loginFormBean);

    // authentication action
    try {
        Authentication authenticationResponseToken = authenticationManager
                .authenticate(authenticationRequestToken);

        Authentication authCopy = null;
        final Object principal = authenticationResponseToken.getPrincipal();
        if (principal instanceof LdapUserDetailsImpl) {
            LdapUserDetailsImpl userImpl = (LdapUserDetailsImpl) principal;
            userImpl.getUsername();

            // here check if we already have a User with his DN in the DB
            // get the User by DN
            User u = userService.getUserByDn(userImpl.getDn());

            // if a user with this DN does not exist in the DB, create a new
            // one with the DN from LDAP and the default settings for a new
            // user
            if (null == u) {
                u = userService.createNewUserFromDn(userImpl.getDn(),
                        userImpl.getUsername());
            }
            // set the obtained user as the current user
            setCurrentUser(u);
            List<GrantedAuthority> grAuth = new ArrayList<GrantedAuthority>();
            // after this, do the role authority stuff
            // here loop through user roles if he has more and
            if (null != u.getUserTeamRoles()) {
                for (UserTeamRole urt : u.getUserTeamRoles()) {
                    // here get role for every UserTeamRole
                    grAuth.add(new SimpleGrantedAuthority(urt.getRole()
                            .getName()));
                }
            }

            // add the above found roles to the granted authorities of the
            // current authentication
            authCopy = new UsernamePasswordAuthenticationToken(
                    authenticationResponseToken.getPrincipal(),
                    authenticationResponseToken.getCredentials(), grAuth);
        }

        SecurityContextHolder.getContext().setAuthentication(authCopy);
        // ok, test if authenticated, if yes reroute
        if (authenticationResponseToken.isAuthenticated()) {
            // lookup authentication success url, or find redirect parameter
            // from login bean
            return "index.xhtml?faces-redirect=true";
        }
    } catch (BadCredentialsException badCredentialsException) {
        // FacesMessage facesMessage = new FacesMessage(
        // "Login Failed: please check your username/password and try again.");
        // FacesContext.getCurrentInstance().addMessage(null, facesMessage);
        FacesContext.getCurrentInstance().addMessage(
                null,
                new FacesMessage(FacesMessage.SEVERITY_ERROR,
                        "Sample error message",
                        "Login Failed! Please check your credentials"));
    } catch (LockedException lockedException) {
        FacesMessage facesMessage = new FacesMessage(
                "Account Locked: please contact your administrator.");
        FacesContext.getCurrentInstance().addMessage(null, facesMessage);
    } catch (DisabledException disabledException) {
        FacesMessage facesMessage = new FacesMessage(
                "Account Disabled: please contact your administrator.");
        FacesContext.getCurrentInstance().addMessage(null, facesMessage);
    }

    return null;
}

private Authentication createAuthenticationToken(
        LoginFormBackingBean loginFormBean) {
    UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(
            loginFormBean.getUserName(), loginFormBean.getPassword());
    return usernamePasswordAuthenticationToken;
}

如何重定向到我需要的页面?我有一个包含用户名和密码的 loginBean,我可以添加一个 redirectUrl 但如何找到以前的 url 路径?

4

4 回答 4

5

Spring Security通过使用 SavedRequestAwareAuthenticationSuccessHandler(它在后台使用 HttpSessionRequestCache )在 AbstractAuthenticationProcessingFilter 中为您实现此逻辑(通常使用 UsernamePasswordAuthenticationFilter 的具体实现)。由于您已经编写了一个控制器来进行身份验证(而不是使用内置支持),因此您需要自己实现此逻辑。您可以重用 Spring Security 所做的相同类,而不是自己实现所有逻辑。

例如,您的 LoginController 可能会更新如下:

public class LoginController implements Serializable {
    // ... same as before ...
    private RequestCache requestCache = new HttpSessionRequestCache();

    public String loginUsingSpringAuthenticationManager() {
        // ... just as you had been doing ...

        if (authenticationResponseToken.isAuthenticated()) {
            HttpServletRequest request = (HttpServletRequest)         
              FacesContext.getCurrentInstance().getExternalContext().getRequest();
            HttpServletResponse response = (HttpServletResponse)         
              FacesContext.getCurrentInstance().getExternalContext().getResponse();

            SavedRequest savedRequest = requestCache.getRequest(request, response);

            return savedRequest.getRedirectUrl();
        }

        // ... same as you had ...
   }
}
于 2013-01-25T16:26:58.417 回答
1

默认情况下,如果default-target-url未定义 Spring Security 会尝试重定向到以前的 url,因此您只需从标签中删除default-target-url属性。form-login

<security:form-login login-page="/login.xhtml" />

更新

如果您的过滤器链中有ExceptionTranslationFilter,那么它应该缓存 HTTP 请求。因此,在您的自定义 loginController 中,您可以尝试从此缓存请求中获取重定向 url。

RequestCache requestCache = new HttpSessionRequestCache();
SavedRequest savedRequest = requestCache.getRequest(request, response);
String targetUrl = savedRequest.getRedirectUrl();

要将请求注入您的控制器,请尝试:

private @Autowired HttpServletRequest request;

或者

HttpServletRequest curRequest = ((ServletRequestAttributes) 
           RequestContextHolder.currentRequestAttributes()) .getRequest();
于 2013-01-22T11:01:32.840 回答
0

改变

<security:form-login login-page="/login.xhtml" 
                         default-target-url="/index.xhtml" />


<security:form-login login-page="/login.xhtml" 
                         default-target-url="/page.xhtml" />
于 2013-01-22T10:51:01.440 回答
0

要获得您描述的行为,您应该在 web.xml 中添加一个 spring 安全过滤器,如下所示:

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>FORWARD</dispatcher>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>ERROR</dispatcher>
    <dispatcher>INCLUDE</dispatcher>
</filter-mapping>

并且可能您还必须编辑您的 spring-secruity.xml。有关更多信息,请参阅此链接:Spring Security with DelegatingFilterProxy

检查此讨论,它看起来与您的问题相似,可能对您有所帮助:http: //forum.springsource.org/showthread.php?128480 -Redirecting-to-original-(unauthenticated-page)-after-spring-安全-openid-真实的

于 2013-01-24T14:01:02.797 回答