我有一个由Spring Boot后端组成的项目,该项目为Angular 5前端提供RESTful服务。
我目前正在尝试在前端和后端之间实施正确的身份验证。为此,我添加了一个标准的Spring身份验证方案,该方案由AuthenticationFilter,AuthorizationFilter,WebSecurityConfigurerAdaptor和AuthenticationSuccessHandler组成。
在WebSecurityConfigurerAdaptor中,我进行了如下配置:
@EnableWebSecurity
public class ComixEdWebSecurity extends WebSecurityConfigurerAdapter
{
@Autowired
private ComixEdAuthenticationSuccessHandler authenticationSuccessHandler;
@Override
protected void configure(HttpSecurity http) throws Exception
{
// @formatter:off
http
.authorizeRequests()
.antMatchers("/", "/comics/count", "/login").permitAll()
.antMatchers("/comics/**", "/pages/**").hasRole("READER")
.antMatchers("/files/**").hasRole("ADMIN")
.and()
.formLogin()
.successHandler(authenticationSuccessHandler)
.loginPage("/login")
.permitAll()
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/")
.permitAll()
.and()
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.and()
.addFilter(new ComixEdAuthenticationFilter(this.authenticationManager(), getApplicationContext()))
.addFilter(new ComixEdAuthorizationFilter(this.authenticationManager())).sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// @formatter:on
http.exceptionHandling().accessDeniedPage("/403");
}
}
所有片段均按预期调用,但ComixEdAuthenticationSuccessHandler从未调用。我已完成AuthenticatorFilter的逐步调试,并看到一切正常,并且前端收到200响应。但是我还需要调用AuthenticationSuccessHandler,以便将一些令牌放入响应中。
源代码可用here。
答案 0 :(得分:0)
您如何创建authenticationSuccessHandler类?
我使用的处理程序示例如下:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin()
.loginPage("/signin")
.usernameParameter("email")
.passwordParameter("password")
.permitAll()
.successHandler(flashLoginSuccessHandler())
.defaultSuccessUrl("/home")
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/")
.deleteCookies("remember-me")
.deleteCookies("SESSION")
.logoutSuccessHandler(flashLogoutSuccessHandler())
.invalidateHttpSession(true)
.and()
.rememberMe()
.rememberMeServices(rememberMeServices())
.userDetailsService(flashUserDetailsService)
.and()
.sessionManagement()
.maximumSessions(1)
.sessionRegistry(sessionRegistry());
}
@Bean
public AuthenticationSuccessHandler flashLoginSuccessHandler() {
return new FlashLoginSuccessHandler();
}
而且FlashLoginSuccessHandler必须扩展SimpleUrlAuthenticationSuccessHandler
public class FlashLoginSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
super.onAuthenticationSuccess(request, response, authentication);
}
}
您可以覆盖响应对象以根据需要添加自定义数据。
答案 1 :(得分:0)
我遇到了和你一样的问题,虽然对你来说太晚了,但我的解决方案可能会帮助其他人(请注意,我真的不知道我在做什么):
我不知道你的 ComixEdAuthenticationSuccessHandler
到底是什么样子,因为 GitHub 链接现在已经死了,但我的扩展了 SavedRequestAwareAuthenticationSuccessHandler
,并覆盖了方法:
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authentication);
...这显然是导致问题的原因。这是什么工作:
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication);
因此,在这种情况下,将 chain
作为参数的方法似乎并不是要覆盖的正确方法。