0

我遇到了 spring security 的问题SwitchUserFilter。当我以 ADMIN 角色登录时,我可以切换用户并再次返回。问题是第二次切换用户时,我似乎无法切换回来。当我直接在浏览器中转到 /secured/switch/back 时,这会显示在我的日志中。

[FilterChainProxy] : /secured/admin at position 1 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
...
[AbstractSecurityInterceptor] : Secure object: FilterInvocation: URL: /secured/admin; Attributes: [hasRole('ADMIN')]
[AbstractSecurityInterceptor] : Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@99f3cebe: Principal: harry [OTHER]; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 756CEC9064C2B1B4D788624786F26137; Granted Authorities: OTHER, Switch User Authority [ROLE_PREVIOUS_ADMINISTRATOR,org.springframework.security.authentication.UsernamePasswordAuthenticationToken@6b846d6c: Principal: max [ADMIN]; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe9938: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 26B09EEF635C1758BE96B86AB6354434; Granted Authorities: ADMIN]
[AffirmativeBased] : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@3e35ec54, returned: -1
[ExceptionTranslationFilter] : Access is denied (user is not anonymous); delegating to AccessDeniedHandler

通常,当用户使用配置的/secured/switch/backurl 切换回来时,FilterChainProxy开始过滤对 url /secured/switch/back的请求。但是,第二次 url 更改为/secured/admin并且权限被拒绝。

有人知道这里可能发生了什么吗?

我有以下配置。

<beans:bean id="switchUserProcessingFilter" 
    class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">

    <beans:property name="userDetailsService" ref="org.example.CustomUserDetailsService"/>
    <beans:property name="switchUserUrl" value="/secured/admin/switch/user" />
    <beans:property name="exitUserUrl" value="/secured/switch/back" />
    <beans:property name="usernameParameter" value="username" />
    <beans:property name="successHandler" ref="RedirectingAuthenticationSuccessHandler" />
</beans:bean>

<beans:bean id="authenticationSuccessHandler" class="org.example.RedirectingAuthenticationSuccessHandler" />

<http use-expressions="true" access-denied-page="/secured/access/denied" >
    <custom-filter ref="switchUserProcessingFilter" position="SWITCH_USER_FILTER" />

    <intercept-url pattern="/secured/login" access="permitAll()" />
    <intercept-url pattern="/secured/login/auth" access="permitAll()" />
    <intercept-url pattern="/secured/switch/back" access="hasAnyRole('ADMIN', 'OTHER')" />
    <intercept-url pattern="/secured/admin/**" access="hasRole('ADMIN')" />
    <intercept-url pattern="/secured/other/**" access="hasRole('OTHER')" />

    <form-login
            login-page='/secured/login'
            login-processing-url="/secured/login/auth"
            authentication-success-handler-ref="authenticationSuccessHandler"
            username-parameter="username"
            password-parameter="password"
            />

    <logout logout-url="/secured/logout" logout-success-url="/secured/login" />

和成功处理程序

public class RedirectingAuthenticationSuccessHandler implements AuthenticationSuccessHandler {

    private static final Logger logger = LoggerFactory.getLogger(RedirectingAuthenticationSuccessHandler.class);

    private static final RoleBasedRedirectStrategy redirectHandler = new RoleBasedRedirectStrategy();

    /*
     *  Redirect request based on user role.
     *
     *  For example:
     *      Role ADMIN redirects to /secured/admin
     *      Role OTHER redirects to /secured/other
     */
    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws ServletException, IOException {
        User user = (User) authentication.getPrincipal();
        logger.info("Authentication successful for {}", user);
        redirectHandler.handleRedirect(request, response, user);
    }
}
4

1 回答 1

1

从问题评论中提取:

您确定您redirectHandler 没有发送永久重定向 (301) 吗?

永久重定向可以被客户端缓存。因此,可能没有实际的第二个请求/secured/switch/back,它直接转到先前解析的成功 URL /secured/admin(这将导致访问被拒绝(403),因为您仍然登录为OTHER)。

顺便说一句,有发送临时(302)重定向的方法(也被 Spring 的DefaultRedirectStrategy使用):

response.sendRedirect(targetUrl);
于 2013-10-06T09:57:04.400 回答