目前我的spring-security.xml看起来像这样:
<global-method-security pre-post-annotations="enabled" />
<http pattern="/login" security="none"/>
<http pattern="/assets/**" security="none"/>
<http auto-config="false" entry-point-ref="authenticationEntryPoint" disable-url-rewriting="true">
<intercept-url pattern="/**" access="ROLE_USER"/>
<intercept-url pattern="/admin/**" access="ROLE_ADMIN"/>
<intercept-url pattern="/tadmin/**" access="ROLE_TENANT_ADMIN"/>
<form-login login-page="/login" authentication-success-handler-ref="authenticationSuccessHandler" authentication-failure-url="/login?error"/>
<logout logout-url="/logout" logout-success-url="/login"/>
<remember-me/>
</http>
<beans:bean id="authenticationSuccessHandler" class="com.dj.LoginSuccessHandler">
<beans:property name="useReferer" value="true"/>
</beans:bean>
<beans:bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/login" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<!-- <password-encoder hash="md5"/> -->
<user-service>
<user name="user" password="123" authorities="ROLE_USER"/>
<user name="admin" password="123" authorities="ROLE_ADMIN,ROLE_USER"/>
<user name="tadmin" password="123" authorities="ROLE_TENANT_ADMIN,ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
我的自定义AuthenticationSuccessHandler:
package com.dj;
import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import com.dj.UserRole;
public class LoginSuccessHandler extends
SavedRequestAwareAuthenticationSuccessHandler {
// getters and setters for injected services
@Override
public void onAuthenticationSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication authentication) {
try {
String redirectUrl = "/login";
if (hasRole(authentication, UserRole.ROLE_ADMIN)) {
redirectUrl = "/app/admin/secure";
} else if (hasRole(authentication, UserRole.ROLE_TENANT_ADMIN)) {
redirectUrl = "/app/tadmin/secure";
} else if (hasRole(authentication, UserRole.ROLE_USER)) {
redirectUrl = "/app/USER/";
}
response.sendRedirect(redirectUrl);
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
/**
* Check if a role is present in the authorities of current user
*
* @param authorities
* all authorities assigned to current user
* @param role
* required authority
* @return true if role is present in list of authorities assigned to
* current user, false otherwise
*/
private boolean hasRole(Authentication auth, UserRole role) {
boolean hasRole = false;
for (GrantedAuthority grantedAuthority : auth.getAuthorities()) {
hasRole = grantedAuthority.getAuthority().equals(role.name());
if (hasRole)
break;
}
return hasRole;
}
}
当我尝试登录时,我可以通过拦截网络流量来看到:
j_spring_security_check 但是,考虑到刚刚登录的用户类型,我永远不会被重定向到正确的页面,永远停留在登录页面上。
手动输入重定向网址时,一切正常,我已正确登录。 在我看来,安全性已正确设置,但重定向不起作用。
对此事的任何帮助都将不胜感激。
答案 0 :(得分:1)
您的intercept-url声明顺序错误。你需要先把最具特色的。您在顶部有/**,因此始终匹配。它应该是列表中的最后一个。
您应该能够在调试日志中跟踪成功登录和后续访问被拒绝的异常。