我面临Spring Security中的以下问题:
(1)我有一个网址" / welcome"当用户登录时调用,即我的默认成功URL是" / welcome"。无论用户的角色如何,用户都应该在登录后重定向到此URL。问题是如果我在没有登录的情况下直接访问此URL,则它不会重定向到登录页面。
(2)注销后,我重定向登录页面是正确的。但是当我点击浏览器后退按钮时,我将重定向到上一页而不是停留在登录页面上。
以下是我的代码:
DesertLampSecurityConfiguration.java
@Configuration
@EnableWebSecurity
public class DesertLampSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder authenticationMgr) throws Exception {
authenticationMgr.inMemoryAuthentication()
.withUser("subodh.ranadive@desertlamp.com")
.password("Dlpl123#")
.authorities("SUPER_USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/", "/home").permitAll()
.and()
.formLogin().loginPage("/login")
.failureUrl("/login?error")
.defaultSuccessUrl("/welcome", true)
.usernameParameter("email").passwordParameter("password")
.and()
.logout()
.logoutSuccessUrl("/login?logout")
.and()
.csrf()
.and()
.exceptionHandling().accessDeniedPage("/Access_Denied");
}
}
DefaultController.java
@Controller
public class DefaultController {
@RequestMapping(value = { "/", "/home" }, method = RequestMethod.GET)
public ModelAndView defaultPage() {
ModelAndView model = new ModelAndView();
model.setViewName("common/pgDefault");
return model;
}
@RequestMapping(value = "/login", method = RequestMethod.GET)
public ModelAndView loginPage(@RequestParam(value = "error",required = false) String error,
@RequestParam(value = "logout", required = false) String logout) {
ModelAndView model = new ModelAndView();
if (error != null) {
model.addObject("error", "Invalid Email OR Password");
}
if (logout != null) {
model.addObject("message", "You are successfully logged out");
}
model.setViewName("common/pgLogin");
return model;
}
@RequestMapping(value="/welcome", method = RequestMethod.GET)
public String welcomePage(ModelMap model){
return "common/pgWelcome";
}
}
incLogout.jsp
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
</head>
<body>
<div align="right">
<c:url value="/logout" var="logoutUrl" />
<form id="logout" action="${logoutUrl}" method="post" >
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
</form>
<c:if test="${pageContext.request.userPrincipal.name != null}">
<a href="javascript:document.getElementById('logout').submit()">Logout</a>
</c:if>
</div>
</body>
</html>
提前致谢。
答案 0 :(得分:1)
我有解决方案。在DesertLampSecurityConfiguration.java的configure()方法中添加了 .anyRequest()。authenticated(),它解决了所讨论的(1)和(2)查询。
DesertLampSecurityConfiguration.java
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/", "/home").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login").permitAll()
.failureUrl("/login?error")
.defaultSuccessUrl("/welcome", true)
.usernameParameter("email").passwordParameter("password")
.and()
.logout()
.logoutSuccessUrl("/login?logout")
.and()
.csrf()
.and()
.exceptionHandling().accessDeniedPage("/Access_Denied");
}