Question

我见过这样的问题，但我没有看到我的具体问题的答案。

我正在使用spring security 2.1和jsf 2.1。我有一个自定义的jsf登录控制器，我开发用于处理来自xhtml文件的登录。

这是登录方法：

public String login() throws ServletException, IOException {

    ExternalContext context = FacesContext.getCurrentInstance()
            .getExternalContext();

    RequestDispatcher dispatcher = ((ServletRequest) context.getRequest())
            .getRequestDispatcher("/j_spring_security_check");

    dispatcher.forward((ServletRequest) context.getRequest(),
            (ServletResponse) context.getResponse());

    FacesContext.getCurrentInstance().responseComplete();

    Exception e = (Exception) FacesContext.getCurrentInstance().
              getExternalContext().getSessionMap().get(WebAttributes.AUTHENTICATION_EXCEPTION);




    // It's OK to return null here because Faces is just going to exit.
    return null;

}

我从其他帖子中提取了示例代码。

这是我的弹簧配置：

    <http use-expressions="true" auto-config="true">
    <!-- <intercept-url pattern="/signin.xhtml" access="permitAll" /> -->

    <intercept-url pattern="/internal/private/**" access="hasRole('USER')" />
    <!-- <intercept-url pattern="/scheduling/internal/private/**" access="hasAnyRole('ADMIN','USER')" 
        /> -->
    <!--<intercept-url pattern="/javax.faces.resource/**" access="permitAll"/> 
        <intercept-url pattern="/**" access="permitAll" /> -->

    <form-login default-target-url="/internal/private/landing.xhtml"
        login-page="/signin.xhtml" />
</http>

如您所见，我的默认目标网址是“/internal/private/landing.xhtml”。我已启用调试，可以看到身份验证已通过，但从未重定向到默认页面。

这是从日志中剪切出来的，显示来自Spring的重定向调用：

    08:58:03,701 DEBUG [org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy] (http-localhost-127.0.0.1-8080-2) Invalidating session with Id 'qPg2MdmRgSpTcV6CVT7cb-9M.undefined' and migrating attributes.
08:58:03,703 DEBUG [org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy] (http-localhost-127.0.0.1-8080-2) Started new session: GFoQyvUtbd+lmZiNw0QKRrI-.undefined
08:58:03,705 DEBUG [org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter] (http-localhost-127.0.0.1-8080-2) Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@d9fa0ad7: Principal: org.springframework.security.core.userdetails.User@da682271: Username: roland.jones; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMIN,USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: qPg2MdmRgSpTcV6CVT7cb-9M.undefined; Granted Authorities: ADMIN, USER
08:58:03,714 DEBUG [org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler] (http-localhost-127.0.0.1-8080-2) Using default Url: /internal/private/landing.html
08:58:03,716 DEBUG [org.springframework.security.web.DefaultRedirectStrategy] (http-localhost-127.0.0.1-8080-2) Redirecting to '/scheduling/internal/private/landing.html'
08:58:03,718 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] (http-localhost-127.0.0.1-8080-2) SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@d9fa0ad7: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@d9fa0ad7: Principal: org.springframework.security.core.userdetails.User@da682271: Username: roland.jones; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMIN,USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: qPg2MdmRgSpTcV6CVT7cb-9M.undefined; Granted Authorities: ADMIN, USER'
08:58:03,727 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] (http-localhost-127.0.0.1-8080-2) SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@d9fa0ad7: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@d9fa0ad7: Principal: org.springframework.security.core.userdetails.User@da682271: Username: roland.jones; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMIN,USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: qPg2MdmRgSpTcV6CVT7cb-9M.undefined; Granted Authorities: ADMIN, USER'
08:58:05,156 DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter] (http-localhost-127.0.0.1-8080-2) Chain processed normally

我尝试登录后，如果我输入地址中的默认URL就没问题了，所以我知道身份验证通过了。

请帮忙。谢谢！

Answer 1

在Spring Security 3.x中，您可以使用authentication handler来实现它，它允许您编写自定义servlet代码来管理成功的身份验证。我知道您正在使用Spring Security 2，但如果升级是一个选项，您可以考虑它。

我首先声明访问的登录表单，并使其可供每个用户使用。从那以后，我将剩下的网址限制在其中：

<http use-expressions="true">
    <intercept-url pattern="/login**" access="permitAll()" />
    <intercept-url pattern="/**" access="isAuthenticated()" />
    <form-login login-page="/login" default-target-url="/home"
        always-use-default-target="false" 
        authentication-success-handler-ref="authenticationSuccessHandler"
        authentication-failure-handler-ref="authenticationFailureHandler" />
    <logout logout-success-url="/login" invalidate-session="true" />
</http>

注意我声明了两个身份验证处理程序，成功和失败。之后，我实现了自己的SystemAuthenticationSuccessHandler，这使我能够在成功完成身份验证后执行servlet代码：

<beans:bean id="authenticationSuccessHandler"
    class="com.mycompany.security.SystemAuthenticationSuccessHandler" />

如果身份验证成功，我可以执行重定向：

import org.springframework.security.web.authentication.AuthenticationSuccessHandler;

public class SystemAuthenticationSuccessHandler implements AuthenticationSuccessHandler {

    @Override
    public void onAuthenticationSuccess(HttpServletRequest req, 
        HttpServletResponse res, Authentication auth) 
        throws IOException, ServletException {
            res.sendRedirect(req.getContextPath() + "/home");
    }

}

Answer 2

@ braveheart1996您只需要设置属性＆＃34; ajax = false＆＃34;。

<p:commandButton    action="#{controller.login()}"
                    value="Login" icon="fa fa-sign-in" 
                    process="@this formLogin"
                    update="formLogin"
                    ajax="false"/>

成功登录后，Spring安全jsf不会重定向

2 个答案: