目前我的 spring-security.xml 如下所示:
<global-method-security pre-post-annotations="enabled" />
<http pattern="/login" security="none"/>
<http pattern="/assets/**" security="none"/>
<http auto-config="false" entry-point-ref="authenticationEntryPoint" disable-url-rewriting="true">
<intercept-url pattern="/**" access="ROLE_USER"/>
<intercept-url pattern="/admin/**" access="ROLE_ADMIN"/>
<intercept-url pattern="/tadmin/**" access="ROLE_TENANT_ADMIN"/>
<form-login login-page="/login" authentication-success-handler-ref="authenticationSuccessHandler" authentication-failure-url="/login?error"/>
<logout logout-url="/logout" logout-success-url="/login"/>
<remember-me/>
</http>
<beans:bean id="authenticationSuccessHandler" class="com.dj.LoginSuccessHandler">
<beans:property name="useReferer" value="true"/>
</beans:bean>
<beans:bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/login" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<!-- <password-encoder hash="md5"/> -->
<user-service>
<user name="user" password="123" authorities="ROLE_USER"/>
<user name="admin" password="123" authorities="ROLE_ADMIN,ROLE_USER"/>
<user name="tadmin" password="123" authorities="ROLE_TENANT_ADMIN,ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
我的自定义 AuthenticationSuccessHandler:
package com.dj;
import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import com.dj.UserRole;
public class LoginSuccessHandler extends
SavedRequestAwareAuthenticationSuccessHandler {
// getters and setters for injected services
@Override
public void onAuthenticationSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication authentication) {
try {
String redirectUrl = "/login";
if (hasRole(authentication, UserRole.ROLE_ADMIN)) {
redirectUrl = "/app/admin/secure";
} else if (hasRole(authentication, UserRole.ROLE_TENANT_ADMIN)) {
redirectUrl = "/app/tadmin/secure";
} else if (hasRole(authentication, UserRole.ROLE_USER)) {
redirectUrl = "/app/USER/";
}
response.sendRedirect(redirectUrl);
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
/**
* Check if a role is present in the authorities of current user
*
* @param authorities
* all authorities assigned to current user
* @param role
* required authority
* @return true if role is present in list of authorities assigned to
* current user, false otherwise
*/
private boolean hasRole(Authentication auth, UserRole role) {
boolean hasRole = false;
for (GrantedAuthority grantedAuthority : auth.getAuthorities()) {
hasRole = grantedAuthority.getAuthority().equals(role.name());
if (hasRole)
break;
}
return hasRole;
}
}
当我尝试登录时,我可以通过拦截网络流量看到:
- 来 self 的自定义登录表单的帖子,发送用户名、密码,请记住我
j_spring_security_check - 来自 app/admin/secure 页面的 GET
但是,鉴于刚刚登录的用户类型,我永远不会被重定向到正确的页面,永远停留在登录页面上。
手动输入重定向网址时,一切正常,并且我已正确登录。 在我看来,安全设置正确,但重定向不起作用。
任何有关此事的帮助将不胜感激。
最佳答案
您的 intercept-url 声明的顺序错误。您需要将最具体的放在第一位。顶部有 /**,因此始终匹配。它应该是列表中的最后一个。
您应该能够在调试日志中跟踪成功登录和随后的拒绝访问异常。
关于java - Spring security + sendRedirect 不起作用,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/16363378/