我遇到了Spring security SwitchUserFilter的问题。当我使用ADMIN角色登录时,我可以切换用户并再次返回。问题是,当第二次切换用户时,我似乎无法切换回来。当我直接在浏览器中进入/ secure / switch / back时,会显示在我的日志中。
[FilterChainProxy] : /secured/admin at position 1 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
...
[AbstractSecurityInterceptor] : Secure object: FilterInvocation: URL: /secured/admin; Attributes: [hasRole('ADMIN')]
[AbstractSecurityInterceptor] : Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@99f3cebe: Principal: harry [OTHER]; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 756CEC9064C2B1B4D788624786F26137; Granted Authorities: OTHER, Switch User Authority [ROLE_PREVIOUS_ADMINISTRATOR,org.springframework.security.authentication.UsernamePasswordAuthenticationToken@6b846d6c: Principal: max [ADMIN]; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe9938: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 26B09EEF635C1758BE96B86AB6354434; Granted Authorities: ADMIN]
[AffirmativeBased] : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@3e35ec54, returned: -1
[ExceptionTranslationFilter] : Access is denied (user is not anonymous); delegating to AccessDeniedHandler
通常,当用户使用配置的/secured/switch/back网址切换回来时,FilterChainProxy会开始过滤网址 / secured / switch / back 的请求。但是,第二次网址更改为 / secured / admin 并且权限被拒绝。
有人知道这里会发生什么吗?
我有以下配置。
<beans:bean id="switchUserProcessingFilter"
class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
<beans:property name="userDetailsService" ref="org.example.CustomUserDetailsService"/>
<beans:property name="switchUserUrl" value="/secured/admin/switch/user" />
<beans:property name="exitUserUrl" value="/secured/switch/back" />
<beans:property name="usernameParameter" value="username" />
<beans:property name="successHandler" ref="RedirectingAuthenticationSuccessHandler" />
</beans:bean>
<beans:bean id="authenticationSuccessHandler" class="org.example.RedirectingAuthenticationSuccessHandler" />
<http use-expressions="true" access-denied-page="/secured/access/denied" >
<custom-filter ref="switchUserProcessingFilter" position="SWITCH_USER_FILTER" />
<intercept-url pattern="/secured/login" access="permitAll()" />
<intercept-url pattern="/secured/login/auth" access="permitAll()" />
<intercept-url pattern="/secured/switch/back" access="hasAnyRole('ADMIN', 'OTHER')" />
<intercept-url pattern="/secured/admin/**" access="hasRole('ADMIN')" />
<intercept-url pattern="/secured/other/**" access="hasRole('OTHER')" />
<form-login
login-page='/secured/login'
login-processing-url="/secured/login/auth"
authentication-success-handler-ref="authenticationSuccessHandler"
username-parameter="username"
password-parameter="password"
/>
<logout logout-url="/secured/logout" logout-success-url="/secured/login" />
和成功处理程序
public class RedirectingAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
private static final Logger logger = LoggerFactory.getLogger(RedirectingAuthenticationSuccessHandler.class);
private static final RoleBasedRedirectStrategy redirectHandler = new RoleBasedRedirectStrategy();
/*
* Redirect request based on user role.
*
* For example:
* Role ADMIN redirects to /secured/admin
* Role OTHER redirects to /secured/other
*/
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws ServletException, IOException {
User user = (User) authentication.getPrincipal();
logger.info("Authentication successful for {}", user);
redirectHandler.handleRedirect(request, response, user);
}
}
答案 0 :(得分:1)
从问题评论中摘录:
您确定
redirectHandler不发送永久重定向(301)吗?
客户端可以缓存永久重定向。因此,/secured/switch/back可能没有实际的第二次请求,而是直接转到之前已解决的成功网址/secured/admin(这会导致访问被拒绝(403),因为您仍然需要登录作为OTHER)。
顺便提一句method for sending temporary (302) redirects(也是由Spring DefaultRedirectStrategy使用):
response.sendRedirect(targetUrl);