rest不工作的spring boot安全自定义successhandler

scyqe7ek  于 2021-09-29  发布在  Java
关注(0)|答案(1)|浏览(303)

我不确定我的问题是否正确。。
也许我一直在寻找有关spring security的信息,我希望您不会很难回答。
问题是,我的登录页面使用Spring Security 。登录页面就在公共模板文件夹中。我没有为它创建一个单独的控制器来返回视图页面(为它创建一个控制器来返回视图登录页面是否正确?)。在任何情况下,即使没有这个页面视图控制器,我的代码也可以工作。但只有我的自定义successhandler不起作用(登录后,它会按角色进行检查并重定向到另一个页面)。我是否应该使用不同的方法按角色重定向到相应的页面(我的意思是,如果登录后管理员角色被重定向到admin panel.html)
我的安全

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class CustomWebSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserServiceImpl userServiceImpl;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors().and()
                .authorizeRequests()
                .antMatchers("/", "/templates/sign-up.html").permitAll()
                .antMatchers("/api/users", "/api/users/login").permitAll()
                .antMatchers("/templates/admin-panel.html").hasRole("ADMIN")
                .antMatchers("/all-users").hasRole("ADMIN")
                .antMatchers("/news").hasRole("USER")
        .anyRequest().authenticated()
            .and()
                .formLogin()
                .loginPage("/templates/login.html")
                .defaultSuccessUrl("/")
                .permitAll()
                .successHandler(myAuthenticationSuccessHandler())
                .and()
                .logout()
                .permitAll()
                .logoutSuccessUrl("/index.html");

        http.csrf().disable();
    }
    @Override
    public void configure(WebSecurity web) {
        web
                .ignoring()
                .antMatchers("/css/**")
                .antMatchers("/js/**")
                .antMatchers("/static/**")
                .antMatchers("/resources/**");
    }

    @Autowired
    protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userServiceImpl).passwordEncoder(bCryptPasswordEncoder());
    }

    @Bean
    public AuthenticationSuccessHandler myAuthenticationSuccessHandler(){
        return new CustomAuthenticationSuccessHandler();
    }
    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }
    @Bean
    public BCryptPasswordEncoder bCryptPasswordEncoder() {
        return new BCryptPasswordEncoder();
    }

我的自定义成功处理程序

public class CustomAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
    protected final Log logger = LogFactory.getLog(this.getClass());

    private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();

    public CustomAuthenticationSuccessHandler() {
        super();
    }

    // API

    @Override
    public void onAuthenticationSuccess(final HttpServletRequest request, final HttpServletResponse response, final Authentication authentication) throws IOException {
        handle(request, response, authentication);
        clearAuthenticationAttributes(request);
    }

    // IMPL

    protected void handle(final HttpServletRequest request, final HttpServletResponse response, final Authentication authentication) throws IOException {
        final String targetUrl = determineTargetUrl(authentication);

        if (response.isCommitted()) {
            logger.debug("Response has already been committed. Unable to redirect to " + targetUrl);
            return;
        }

        redirectStrategy.sendRedirect(request, response, targetUrl);
    }

    protected String determineTargetUrl(final Authentication authentication) {

        Map<String, String> roleTargetUrlMap = new HashMap<>();
        roleTargetUrlMap.put("ROLE_USER", "/index.html");
        roleTargetUrlMap.put("ROLE_ADMIN", "/templates/admin-panel.html");

        final Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
        for (final GrantedAuthority grantedAuthority : authorities) {

            String authorityName = grantedAuthority.getAuthority();
            if(roleTargetUrlMap.containsKey(authorityName)) {
                return roleTargetUrlMap.get(authorityName);
            }
        }

        throw new IllegalStateException();
    }

    /**
     * Removes temporary authentication-related data which may have been stored in the session
     * during the authentication process.
     */
    protected final void clearAuthenticationAttributes(final HttpServletRequest request) {
        final HttpSession session = request.getSession(false);

        if (session == null) {
            return;
        }

        session.removeAttribute(WebAttributes.AUTHENTICATION_EXCEPTION);
    }
}

我的控制器

@CrossOrigin
    @RestController
    @RequestMapping("/api/users")
    public class UserController {

        private final UserServiceImpl userService;
        private AuthenticationManager authenticationManager;
        public UserController(UserServiceImpl userService, AuthenticationManager authenticationManager) {
            this.userService = userService;
            this.authenticationManager = authenticationManager;
        }

        @PostMapping
        public ResponseEntity<?> register(@RequestBody UserDTO user) {
          try {
              userService.register(user);
              return new ResponseEntity<>("User added", HttpStatus.OK);
          } catch (Exception e) {
              return new ResponseEntity<>(e, HttpStatus.BAD_REQUEST);
          }
        }

        @PostMapping(value = "/login")
        public ResponseEntity<?> login(@RequestBody UserDTO user, HttpServletResponse response) {
            try {
                Authentication authentication = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(user.getUsername(), user.getPassword()));
                boolean isAuthenticated = isAuthenticated(authentication);
                if (isAuthenticated) {
                    SecurityContextHolder.getContext().setAuthentication(authentication);
    //                response.sendRedirect("/templates/admin-panel.html");
   //                my pathetic attempt to create a redirect to another page
                }
                return new ResponseEntity<>("user authenticated", HttpStatus.OK);
            } catch (Exception e) {
                return new ResponseEntity<>(e, HttpStatus.FORBIDDEN);
            }
        }
        private boolean isAuthenticated(Authentication authentication) {
            return authentication != null && !(authentication instanceof AnonymousAuthenticationToken) && authentication.isAuthenticated();
        }

我的静态文件在此处输入图像描述

disho6za

disho6za1#

我猜,由于您没有发布登录页面本身:
你不需要一个控制器来监听 POST /login 这通常由spring security自动注册所有与安全相关的身份验证内容。你不必像以前那样一个人尝试 UserController.login() . 我想通过重新设置这个端点,您可以覆盖/停用常规的spring安全行为。
通常,您只需要一个登录页面,其中的表单可以正确地发布到/login。后端端的处理由spring security本身完成。
看见https://spring.io/guides/gs/securing-web/ 用于最小的虫蛀设置。

相关问题