Spring Security Spring Authorization Server在使用filter时不会重定向回授权代码授予

ldioqlga 于 11个月前发布在 Spring

关注(0)|答案(1)|浏览(114)

我想用验证码来保护我的登录，因此我为身份验证过程配置了一个过滤器。验证码验证和身份验证仍然有效，就像我从日志中看到的那样，但在身份验证之后，我不会重定向回客户端。下面是我的配置：

@Bean
    @Order(2)
    fun defaultSecurityFilterChain(http: HttpSecurity): SecurityFilterChain {
        val authFilter = authenticationFilter()
        if (captchaEnabled) {
            http.addFilterBefore(authFilter, UsernamePasswordAuthenticationFilter::class.java)
        }

        val filterChain =
            http.authorizeHttpRequests { authorize ->
                authorize
                    .requestMatchers(
                        "/api/v1/auth-service/.well-known/jwks.json",
                        "/error",
                        "/login",
                        "/images/**",
                        "/css/**",
                        "/js/**",
                        "/templates/**",
                        "favicon.ico",
                    ).permitAll()
                    .anyRequest().authenticated()
            }
                .formLogin { it.loginPage("/login").permitAll() }
                .cors { it.configurationSource(corsConfigurationSource()) }.build()

        if (captchaEnabled) {
            val authManager = http.getSharedObject(AuthenticationManager::class.java)
            authFilter.setAuthenticationManager(authManager)
        }
        return filterChain
    }

    fun authenticationFilter() =
        CaptchaLoginFilter(captchaService).apply {
            setAuthenticationFailureHandler(SimpleUrlAuthenticationFailureHandler("/login?error=true"))
        }

字符串
如果我禁用特性标志captchaEnabled或者只是注解掉以http.addFilterBefore开头的行，它就能像预期的那样工作。
我的过滤器代码：

class CaptchaLoginFilter(
    private val captchaService: CaptchaService?,
) : UsernamePasswordAuthenticationFilter() {
    override fun attemptAuthentication(
        request: HttpServletRequest,
        response: HttpServletResponse,
    ): Authentication? {
        if (!request.method.equals("POST")) {
            throw AuthenticationServiceException("Authentication method not supported: " + request.method)
        }

        val recaptchaFormResponse = request.getParameter("g-recaptcha-response")

        try {
            captchaService?.processResponse(
                recaptchaFormResponse,
                request.remoteAddr,
                null,
                request.getHeader("User-Agent"),
            )
        } catch (e: Exception) {
            when (e) {
                is RecaptchaException -> {
                    // TODO
                    // request.getRequestDispatcher("otp_login").forward(request, response)
                }

                else ->
                    try {
                        response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.message)
                    } catch (ioException: IOException) {
                        ioException.printStackTrace()
                    }
            }
            return null
        }
        try {
            return super.attemptAuthentication(request, response)
        } catch (e: Exception) {
            when (e) {
                is AuthenticationException -> {
                    throw e
                }

                else -> {
                    logger.warn("Unexpected exception during authentication", e)
                    response.sendRedirect("/login?error")
                    return null
                }
            }
        }
    }
}

型
我可以从日志中看到，身份验证成功，就像这个过滤器被禁用一样，所以这意味着super. authorization（request，response）在最后被正确调用。在这个场景中，我没有接触请求和响应对象，所以我不知道是什么改变了行为。有什么想法吗？提前感谢。

spring-security

来源：https://stackoverflow.com/questions/77777577/spring-authorization-server-does-not-redirect-back-with-authorization-code-grant