我正在尝试配置 spring security 3,以便当用户被迫再次登录时(例如,当 session 超时时),用户将被带回他们在授权过程开始之前所在的页面。
我正在使用 SavedRequestAwareAuthenticationSuccessHandler但原始请求似乎没有保存在缓存中。
下面是我的安全配置。
<security:http auto-config="false"
use-expressions="true"
access-denied-page="/views/auth/login?error=true"
entry-point-ref="authenticationEntryPoint" >
<security:intercept-url pattern="/*" access="hasRole('ROLE_USER')" />
<security:intercept-url pattern="/views/*" access="hasRole('ROLE_USER')" />
<security:intercept-url pattern="/data/*" access="hasRole('ROLE_USER')" />
<security:intercept-url pattern="/auth/*" access="permitAll" />
<security:logout invalidate-session="true" logout-success-url="/views/auth/login" logout-url="/views/auth/logout" />
<security:session-management invalid-session-url="/views/auth/login" >
<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</security:session-management>
<security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/>
</security:http>
<security:authentication-manager />
<bean id="authenticationFilter" class="com.security.web.filter.UsernamePasswordAuthenticationFilter">
<property name="allowSessionCreation" value="true" />
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationFailureHandler" ref="aAuthenticationFailureHandler" />
<property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
</bean>
<bean id="authenticationManager" class="com.security.web.manager.AuthenticationManager" />
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint" >
<property name="loginFormUrl" value="/views/auth/login"/>
</bean>
<bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/views/auth/login?error=true"/>
</bean>
<bean id="authenticationSuccessHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/views"/>
</bean>
任何帮助,将不胜感激。
最佳答案
我知道这个问题很老,但我想记录我为其他人找到的东西。
简答
问题是,如果您在 上使用 invalid-session-url < session 管理> 标签,那么原始请求将不会保存在缓存中。
解释
这是在 spring 源论坛上讨论的:
http://forum.springsource.org/showthread.php?89352-requestCache-null-when-using-session-management-gt-invalid-session-url
在上面的论坛中,安全团队的高级成员卢克泰勒说:
The invalid-session-url implies that the previous session has expired and the user should start again. There's no connection with the RequestCache which is used for restoring a request after a user has logged in.
和
When a session expires you can't know that it is safe to continue with the requested URL as some required state may have been lost along with the session. It may be OK in your particular case, but it's not a safe assumption in general.
关于spring-security - Spring Security 3 SavedRequestAwareAuthenticationSuccessHandler 不保存原始请求,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/8418700/