Question

我正在将spring security用于电子商务项目。我们要求保持登录历史记录。由于j_spring_security_check在内部处理身份验证和授权。我能找到的唯一方法是使用自定义AuthenticationSuccessHandler来保存成功登录的历史记录。我读了一些帖子并得到了一个完美的答案，但有一个错误。以下是我的配置：

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:security="http://www.springframework.org/schema/security"
       xmlns:sec="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
       http://www.springframework.org/schema/beans/spring-beans.xsd
       http://www.springframework.org/schema/security
       http://www.springframework.org/schema/security/spring-security.xsd">

    <bean id="encoder" class="com.web.auth.CustomPasswordEncoder">
        <constructor-arg value="512"/>
    </bean>

    <security:http auto-config="true" use-expressions="true">
        <security:intercept-url pattern="/products/**" access="hasRole('ROLE_USER')" />
        <security:intercept-url pattern="/orders/**" access="hasRole('ROLE_USER')" />
        <security:access-denied-handler error-page="/403" />
        <security:form-login
                login-page="/users/login"
                default-target-url="/products/list"
                authentication-failure-url="/users/login?error"
                username-parameter="username"
                password-parameter="password"
                authentication-success-handler-ref="myAuthenticationSuccessHandler"/>
        <security:logout invalidate-session="true" logout-success-url="/users/login?logout" />
        <!-- enable csrf protection -->
        <security:csrf/>
    </security:http>

    <bean id ="customUserDetailsService" class="com.web.auth.UserDetailService"></bean>


    <security:authentication-manager>
        <security:authentication-provider user-service-ref="customUserDetailsService">
        <security:password-encoder ref="encoder">
            <security:salt-source user-property="salt"/>
                </security:password-encoder>
        </security:authentication-provider>
    </security:authentication-manager>

    <bean id="myAuthenticationSuccessHandler" class="com.web.auth.AuthenticationSuccessHandler">
        <property name="useReferer" value="true" />
    </bean>


</beans>

以下是我对customauthenticationfilter的实现

package com.web.auth;

import com.aws.sns.mobilepush.model.Platform;
import com.loginhistory.UserLoginHistoryService;
import com.loginhistory.model.UserLoginHistory;
import com.user.UserService;
import com.user.model.User;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
import org.springframework.security.web.savedrequest.RequestCache;
import org.springframework.security.web.savedrequest.SavedRequest;
import org.springframework.util.StringUtils;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Optional;

/**
 * Created by root on 18/5/15.
 */
public class AuthenticationSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
    @Autowired
    UserLoginHistoryService userLoginHistoryService;
    @Autowired
    UserService userService;
    @Override
    public void onAuthenticationSuccess(HttpServletRequest request,
                                        HttpServletResponse response,
                                        Authentication authentication) throws IOException,ServletException {
        CustomUserDetails customUserDetails =  (CustomUserDetails)authentication.getPrincipal();
        Optional<User> user = userService.findUserById(customUserDetails.getUserID());
        if (!user.isPresent()) {
            return;
        }
        UserLoginHistory userLoginHistory = new UserLoginHistory();
        userLoginHistory.setPlatform(Platform.WEB);
        userLoginHistory.setUser(user.get());
        userLoginHistory.setArnEndPoint("na");
        userLoginHistory.setTokenId("na");
        userLoginHistoryService.saveLoginHistoryForWeb(userLoginHistory);

        super.onAuthenticationSuccess(request,response,authentication);
    }
    }

我现在能够维护历史记录，如果用户需要受保护的页面，一切正常。但是，当用户明确进入登录页面并将凭据重新定向到同一登录页面时，应根据我的配置将其重定向到默认的帖子登录页面。

请帮我解决这个问题，并建议一个可能的解决方案

谢谢，罗希特·米什拉

Answer 1

您的配置未设置默认的登录后页面。您已将useReferer设置为true，这意味着用户将被重定向到他们来自的页面。如果那是登录页面，他们将在之后发回。尝试删除它。

根据您的要求，您可以通过其他方式控制重定向目的地，例如设置defaultTargetUrl - 有关详细信息，请参阅docs for the class。

spring security custom AuthenticationSuccessHandler

1 个答案: