我有带有 Spring Security 的网络应用程序。现在我正在尝试强制用户更改过期的密码。
我的安全配置
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserService service;
CustomAuthenticationHandler customAuthenticationHandler;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/s/**").permitAll()
.antMatchers("/changePassword").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.failureHandler(customAuthenticationHandler)
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.permitAll();
}
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth
.authenticationProvider(authProvider());
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/s/**");
}
// Beans
@Bean
CustomAuthenticationHandler authenticationHandler() {
return new CustomAuthenticationHandler();
}
@Bean
public PasswordEncoder encoder() {
return new BCryptPasswordEncoder(11);
}
@Bean
public DaoAuthenticationProvider authProvider() {
DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
authProvider.setUserDetailsService(new UserDetailServiceImpl(service));
authProvider.setPasswordEncoder(encoder());
return authProvider;
}
}
我的自定义身份验证处理程序:
public class CustomAuthenticationHandler extends SimpleUrlAuthenticationFailureHandler implements AuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
// later do some logic here.. to handle CredentialsExpiredException
// for now all failure login should go to /changePassword
getRedirectStrategy().sendRedirect(request, response, "/changePassword");
}
}
我希望在登录失败后转到/changePassword,但我仍然会转到/login?错误。 您能否建议使用 java 配置执行此任务的示例或解释我做错了什么? 感谢所有帮助
最佳答案
我不知道这个解决方案有多好或多坏,但它对我有用
安全配置:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserService service;
CustomAuthenticationHandler customAuthenticationHandler;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/s/**").permitAll()
.antMatchers("/changePassword").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.failureHandler(customAuthenticationHandler)
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.permitAll();
}
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth
.authenticationProvider(authProvider());
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/s/**");
}
// Beans
@Bean
CustomAuthenticationHandler authenticationHandler() {
return new CustomAuthenticationHandler();
}
@Bean
public PasswordEncoder encoder() {
return new BCryptPasswordEncoder(11);
}
@Bean
public DaoAuthenticationProvider authProvider() {
DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
authProvider.setUserDetailsService(new UserDetailServiceImpl(service));
authProvider.setPasswordEncoder(encoder());
return authProvider;
}
}
我的自定义 AuthenticationHandler :
@Component
public class CustomAuthenticationHandler extends SimpleUrlAuthenticationFailureHandler implements AuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
setUseForward(true);
saveException(request, exception);
if (exception.getClass().equals(CredentialsExpiredException.class)){
setDefaultFailureUrl("/changePassword");
} else {
setDefaultFailureUrl("/login?error");
}
super.onAuthenticationFailure(request, response, exception);
}
}
关于java - 为密码过期的用户重定向至更改密码页面,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/46806761/