我正在尝试配置自己的成功和身份验证失败处理程序。在身份验证失败时,我想使用请求参数重定向回我的登录页面,此参数的存在将在我的登录页面上输出错误消息。但是,虽然出错但我被重定向回登录页面,但请求参数始终为null。
以下代码:
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/login").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login.html").permitAll()
.usernameParameter("username")
.passwordParameter("password")
.loginProcessingUrl("/login")
.successHandler(successHandler())
.failureHandler(handleAuthenticationFailure());
}
@Autowired
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//database checks
}
};
}
/**
* Authentication success handler defines action when successfully authenticated
* @return
*/
@Bean
public AuthenticationSuccessHandler successHandler(){
return new AuthenticationSuccessHandler() {
@Override
public void onAuthenticationSuccess(HttpServletRequest httpRequest, HttpServletResponse httpResponse, Authentication authentication)
throws IOException, ServletException {
// custom auth success here
httpResponse.setStatus(HttpServletResponse.SC_OK);
SavedRequest savedRequest = (SavedRequest) httpRequest.getSession().getAttribute("SPRING_SECURITY_SAVED_REQUEST");
httpResponse.sendRedirect(savedRequest.getRedirectUrl());
}
};
}
@Bean
public AuthenticationFailureHandler handleAuthenticationFailure() {
return new SimpleUrlAuthenticationFailureHandler() {
@Override
public void onAuthenticationFailure(HttpServletRequest httpRequest, HttpServletResponse httpResponse,
AuthenticationException authenticationException) throws IOException, ServletException {
// custom failure code here
setDefaultFailureUrl("/login.html?error=fail");
super.onAuthenticationFailure(httpRequest, httpResponse, authenticationException);
}
};
}
答案 0 :(得分:2)
试试这个:
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
// .......
response.sendRedirect("/login.html?error=fail");
}
<强>更新
将“/login.html?error=fail”添加到authorizeRequests()部分非常重要,否则控制器将不会选择错误参数。
将.antMatchers("/login").permitAll()替换为.antMatchers("/login**").permitAll()
答案 1 :(得分:1)
params也有问题(在我的情况下,当登录失败并且一些请求参数被添加到url时,它重定向到没有params的登录页面。)
这解决了我的问题
.antMatchers("/login**").permitAll()
答案 2 :(得分:0)
我是springBoot的新手,如果您使用的是Spring Boot 2.1.4.RELEASE,请尝试以下配置:
http.csrf().disable()
.authorizeRequests()
// URLs matching for access rights
.antMatchers("/").permitAll()
.antMatchers("/login").permitAll()
.anyRequest().authenticated()
.and()
// form login
.formLogin()
.loginPage("/login")
.failureUrl("/login?error=true")
.successHandler(sucessHandler)
.usernameParameter("email")
.passwordParameter("password")
.and()
// logout
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/").and()
.exceptionHandling()
.accessDeniedPage("/access-denied");
要使用上面定义的Spring Security配置,我们需要将其附加到Web应用程序。在这种情况下,我们不需要任何web.xml:
public class SpringApplicationInitializer
extends AbstractAnnotationConfigDispatcherServletInitializer {
protected Class<?>[] getRootConfigClasses() {
return new Class[] {SecSecurityConfig.class};
}}
这意味着您将创建以下将自动实例化的类
SecSecurityConfig.class:是您进行所有http.csrf()。disable()。authorizeRequests()...配置的类
源:https://www.baeldung.com/spring-security-login
希望它会有所帮助:)