1

Currently my spring-security.xml looks like this:

<global-method-security pre-post-annotations="enabled" />

    <http pattern="/login" security="none"/>
    <http pattern="/assets/**" security="none"/>

    <http auto-config="false" entry-point-ref="authenticationEntryPoint" disable-url-rewriting="true">
        <intercept-url pattern="/**" access="ROLE_USER"/>
        <intercept-url pattern="/admin/**" access="ROLE_ADMIN"/>
        <intercept-url pattern="/tadmin/**" access="ROLE_TENANT_ADMIN"/>
        <form-login login-page="/login" authentication-success-handler-ref="authenticationSuccessHandler" authentication-failure-url="/login?error"/>
        <logout logout-url="/logout" logout-success-url="/login"/>
        <remember-me/>
    </http>

    <beans:bean id="authenticationSuccessHandler" class="com.dj.LoginSuccessHandler">
        <beans:property name="useReferer" value="true"/>
    </beans:bean>

    <beans:bean id="authenticationEntryPoint"
        class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <beans:property name="loginFormUrl" value="/login" />
    </beans:bean>

    <authentication-manager alias="authenticationManager">
        <authentication-provider>
            <!-- <password-encoder hash="md5"/> -->
            <user-service>
                <user name="user" password="123" authorities="ROLE_USER"/>
                <user name="admin" password="123" authorities="ROLE_ADMIN,ROLE_USER"/>
                <user name="tadmin" password="123" authorities="ROLE_TENANT_ADMIN,ROLE_USER"/>
            </user-service>
        </authentication-provider>
    </authentication-manager>

My custom AuthenticationSuccessHandler:

package com.dj;

import java.io.IOException;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;

import com.dj.UserRole;

public class LoginSuccessHandler extends
    SavedRequestAwareAuthenticationSuccessHandler {
    // getters and setters for injected services

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request,
        HttpServletResponse response, Authentication authentication) {

    try {
        String redirectUrl = "/login";
        if (hasRole(authentication, UserRole.ROLE_ADMIN)) {
        redirectUrl = "/app/admin/secure";
        } else if (hasRole(authentication, UserRole.ROLE_TENANT_ADMIN)) {
        redirectUrl = "/app/tadmin/secure";
        } else if (hasRole(authentication, UserRole.ROLE_USER)) {
        redirectUrl = "/app/USER/";
        }
        response.sendRedirect(redirectUrl);
    } catch (IOException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
    }

    /**
     * Check if a role is present in the authorities of current user
     * 
     * @param authorities
     *            all authorities assigned to current user
     * @param role
     *            required authority
     * @return true if role is present in list of authorities assigned to
     *         current user, false otherwise
     */
    private boolean hasRole(Authentication auth, UserRole role) {
    boolean hasRole = false;
    for (GrantedAuthority grantedAuthority : auth.getAuthorities()) {
        hasRole = grantedAuthority.getAuthority().equals(role.name());
        if (hasRole)
        break;
    }
    return hasRole;
    }
}

When I try to log in i can see by intercepting network traffic:

  1. A POST from my custom login form sending username,password,remember me to j_spring_security_check
  2. A GET from the app/admin/secure page

However, I am never getting redirected to the correct page given the type of user that has just been logged in, stuck forever on the login page.

When entering the redirect url manually everything works fine and I am logged in properly. Seems to me security is set up properly, however the redirecting is just not working.

Any help on this matter would be appreciated.

4

1 回答 1

1

您的intercept-url声明顺序错误。你需要把最具体的放在第一位。你/**在顶部,所以它总是匹配的。它应该是列表中的最后一个。

您应该能够在调试日志中跟踪成功登录和随后的拒绝访问异常。

于 2013-05-03T23:11:03.567 回答