重定向以更改密码过期的用户的传递页面

时间:2017-10-18 09:20:36

标签: java spring spring-security

我有弹簧安全的网络应用程序。现在我正在尝试强制用户更改过期的密码。

我的安全配置

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    UserService service;
    CustomAuthenticationHandler customAuthenticationHandler;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .authorizeRequests()
            .antMatchers("/s/**").permitAll()
            .antMatchers("/changePassword").permitAll()
            .anyRequest().authenticated()
            .and()
        .formLogin()
            .loginPage("/login")
            .permitAll()
            .failureHandler(customAuthenticationHandler)
            .and()
        .logout()
            .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
            .permitAll();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth)
            throws Exception {
        auth
        .authenticationProvider(authProvider());
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/s/**");
    }

    // Beans    

    @Bean
    CustomAuthenticationHandler authenticationHandler() {
        return new CustomAuthenticationHandler();
    }

    @Bean
    public PasswordEncoder encoder() {
        return new BCryptPasswordEncoder(11);
    }

    @Bean
    public DaoAuthenticationProvider authProvider() {
        DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
        authProvider.setUserDetailsService(new UserDetailServiceImpl(service));
        authProvider.setPasswordEncoder(encoder());
        return authProvider;
    }
}

我的CustomAuthenticationHandler:

public class CustomAuthenticationHandler extends SimpleUrlAuthenticationFailureHandler implements AuthenticationFailureHandler {

    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {

        // later do some logic here.. to handle CredentialsExpiredException 
        // for now all failure login should go to /changePassword
        getRedirectStrategy().sendRedirect(request, response, "/changePassword");

    }
}

我希望在登录失败后转到/ changePassword,但我仍然要/ login?错误。 你能用java配置建议这个任务的例子,或解释我做错了什么吗? 所有帮助表示赞赏

1 个答案:

答案 0 :(得分:2)

我不知道这个解决方案有多好或多坏,但它对我有用

安全配置:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    UserService service;
    CustomAuthenticationHandler customAuthenticationHandler;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .authorizeRequests()
            .antMatchers("/s/**").permitAll()
            .antMatchers("/changePassword").permitAll()
            .anyRequest().authenticated()
            .and()
        .formLogin()
            .loginPage("/login")
            .permitAll()
            .failureHandler(customAuthenticationHandler)
            .and()
        .logout()
            .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
            .permitAll();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth)
            throws Exception {
        auth
        .authenticationProvider(authProvider());
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/s/**");
    }

    // Beans    

    @Bean
    CustomAuthenticationHandler authenticationHandler() {
        return new CustomAuthenticationHandler();
    }

    @Bean
    public PasswordEncoder encoder() {
        return new BCryptPasswordEncoder(11);
    }

    @Bean
    public DaoAuthenticationProvider authProvider() {
        DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
        authProvider.setUserDetailsService(new UserDetailServiceImpl(service));
        authProvider.setPasswordEncoder(encoder());
        return authProvider;
    }
}

我的CustomAuthenticationHandler:

@Component
public class CustomAuthenticationHandler extends SimpleUrlAuthenticationFailureHandler implements AuthenticationFailureHandler {

    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
        setUseForward(true);
        saveException(request, exception);
        if (exception.getClass().equals(CredentialsExpiredException.class)){
            setDefaultFailureUrl("/changePassword");                  
        } else {
            setDefaultFailureUrl("/login?error");
        }
        super.onAuthenticationFailure(request, response, exception);
    }

}