自定义AuthenticationFailureHandler未按预期工作

时间:2017-04-18 08:32:39

标签: java spring spring-mvc spring-boot spring-security

安全配置中的已注册处理程序:

.formLogin().loginPage(/login).failureHandler(new CustomAuthenticationFailureHandler())

我的自定义失败处理程序:

public class CustomAuthenticationFailureHandler implements AuthenticationFailureHandler {

    private String failureUrl="/login?error";

    private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();

    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
                                        AuthenticationException exception) throws IOException, ServletException {
        this.redirectStrategy.sendRedirect(request, response, this.failureUrl);
    }

}
当auth失败发生时,

onAuthenticationFailure会被触发,但是Spring会触发另外一个请求,请找到另一个req堆栈,

LoginUrlAuthenticationEntryPoint.commence(HttpServletRequest, HttpServletResponse, AuthenticationException) line: 169   
ExceptionTranslationFilter.sendStartAuthentication(HttpServletRequest, HttpServletResponse, FilterChain, AuthenticationException) line: 204 
ExceptionTranslationFilter.handleSpringSecurityException(HttpServletRequest, HttpServletResponse, FilterChain, RuntimeException) line: 178  

因此,此请求会覆盖我的sendredirect请求。

我是否需要配置/执行其他任何操作才能实现此目的?请帮忙。 提前致谢

我的配置:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .addFilterBefore(SignUpFilter(userService), UsernamePasswordAuthenticationFilter.class)
                .authorizeRequests()
                .antMatchers(
                        "/",
                        "/register",
                        "/retrieveUsernameForm",
                    .permitAll()
            .and()
            .anonymous()
                .authenticationProvider(anonymousAuthenticationProvider())
                .authenticationFilter(anonymousAuthenticationFilter())
            .and()
                .formLogin()
                     .loginPage(SecurityController.URI_LOGIN)
                     .failureHandler(new CustomAuthenticationFailureHandler())
                    .permitAll()
                    .defaultSuccessUrl(securityController.createUri(SecurityController.PATH_PART_LOGIN))
                .and()
                .rememberMe()
                .rememberMeParameter("remember-me")
                .key(REMEMBERME_TOKEN_KEY)
                .rememberMeServices(tokenBasedRememberMeServices())
            .and()
                .logout()
                .permitAll()
            .and()
                .headers()
                    .frameOptions().disable()
                    .addHeaderWriter(new StaticHeadersWriter("X-Frame-Options", "SAMEORIGIN"))
            .and()
                .csrf().disable();

        http.formLogin()
                .addObjectPostProcessor(new ObjectPostProcessor<UsernamePasswordAuthenticationFilter>() {
                    @Override
                    public UsernamePasswordAuthenticationFilter postProcess(UsernamePasswordAuthenticationFilter filter) {
                        filter.setSessionAuthenticationStrategy(sessionAuthenticationStrategyForContentAndStoreUsers());
                        return filter;
                    }
                });

        http.exceptionHandling().accessDeniedHandler(accessDeniedHandler);
    }

0 个答案:

没有答案