Question

我已经实现了spring security以登录我的门户网站。除了一个问题，它工作正常。我将会话超时设置为5分钟。一旦超时结束，然后用户点击任何URL，它就会被重定向到注销页面。但是当用户重新验证时，用户直接登陆最后一个访问页面而不是主页，这是默认目标URL。

Spring安全文件如下：

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans  

        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <http auto-config="true">
        <intercept-url pattern="/index.jsp" access="ROLE_ADMIN,ROLE_USER" /> 
        <intercept-url pattern="/home.html" access="ROLE_ADMIN,ROLE_USER" />
        <intercept-url pattern="/mdm/accessToken.html" access="ROLE_USER" />
        <intercept-url pattern="/mdm/enroll.html" access="ROLE_USER" />
        <intercept-url pattern="/mdm/installApp.html" access="ROLE_USER" />
        <intercept-url pattern="/mdm/checkStatus.html" access="ROLE_USER" />
        <intercept-url pattern="/mdm/searchDevice.html" access="ROLE_USER" />     
        <intercept-url pattern="/admin/*" access="ROLE_ADMIN" />
        <intercept-url pattern="/account/*" access="ROLE_ADMIN" />
        <intercept-url pattern="/user/*" access="ROLE_USER" />      

        <form-login login-page="/login.html" default-target-url="/home.html"
                    authentication-failure-url="/loginfailed.html" />
        <logout logout-url="/logout.html" logout-success-url="/logoutSuccess.html" invalidate-session="true" />
        <anonymous username="guest" granted-authority="ROLE_GUEST" />
        <session-management>
            <concurrency-control max-sessions="1"  />
        </session-management>
        <session-management invalid-session-url="/logout.html" />
    </http>

    <authentication-manager>
        <authentication-provider>
            <jdbc-user-service data-source-ref="dataSource"
                users-by-username-query="select USER as username, password, 'true' as enabled from TBL_USER_MASTER where user=?"
                authorities-by-username-query="select um.USER as username , rm.ROLE_NAME as authorities from TBL_USER_MASTER um,TBL_ROLE_MASTER rm
            where um.USER=? and um.role_id=rm.role_id" />
            <password-encoder hash="md5"/>
        </authentication-provider>
    </authentication-manager>
</beans:beans>

Answer 1

将 always-use-default-target 属性添加到 form-login 标记。

<form-login always-use-default-target="true" />

如果设置为true，则用户将始终以default-target-url给定的值开始，无论他们如何到达登录页面。映射到UsernamePasswordAuthenticationFilter的alwaysUseDefaultTargetUrl属性。默认值为false。

Answer 2

在Grails中，此设置解决了Config.groovy

中的问题

grails.plugin.springsecurity.successHandler.alwaysUseDefault = true

spring security在登录会话超时后重定向到上次请求的页面

2 个答案: