目前我的弹簧security.xml文件看起来是这样的:
<global-method-security pre-post-annotations="enabled" />
<http pattern="/login" security="none"/>
<http pattern="/assets/**" security="none"/>
<http auto-config="false" entry-point-ref="authenticationEntryPoint" disable-url-rewriting="true">
<intercept-url pattern="/**" access="ROLE_USER"/>
<intercept-url pattern="/admin/**" access="ROLE_ADMIN"/>
<intercept-url pattern="/tadmin/**" access="ROLE_TENANT_ADMIN"/>
<form-login login-page="/login" authentication-success-handler-ref="authenticationSuccessHandler" authentication-failure-url="/login?error"/>
<logout logout-url="/logout" logout-success-url="/login"/>
<remember-me/>
</http>
<beans:bean id="authenticationSuccessHandler" class="com.dj.LoginSuccessHandler">
<beans:property name="useReferer" value="true"/>
</beans:bean>
<beans:bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/login" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<!-- <password-encoder hash="md5"/> -->
<user-service>
<user name="user" password="123" authorities="ROLE_USER"/>
<user name="admin" password="123" authorities="ROLE_ADMIN,ROLE_USER"/>
<user name="tadmin" password="123" authorities="ROLE_TENANT_ADMIN,ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
我的自定义AuthenticationSuccessHandler:
package com.dj;
import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import com.dj.UserRole;
public class LoginSuccessHandler extends
SavedRequestAwareAuthenticationSuccessHandler {
// getters and setters for injected services
@Override
public void onAuthenticationSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication authentication) {
try {
String redirectUrl = "/login";
if (hasRole(authentication, UserRole.ROLE_ADMIN)) {
redirectUrl = "/app/admin/secure";
} else if (hasRole(authentication, UserRole.ROLE_TENANT_ADMIN)) {
redirectUrl = "/app/tadmin/secure";
} else if (hasRole(authentication, UserRole.ROLE_USER)) {
redirectUrl = "/app/USER/";
}
response.sendRedirect(redirectUrl);
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
/**
* Check if a role is present in the authorities of current user
*
* @param authorities
* all authorities assigned to current user
* @param role
* required authority
* @return true if role is present in list of authorities assigned to
* current user, false otherwise
*/
private boolean hasRole(Authentication auth, UserRole role) {
boolean hasRole = false;
for (GrantedAuthority grantedAuthority : auth.getAuthorities()) {
hasRole = grantedAuthority.getAuthority().equals(role.name());
if (hasRole)
break;
}
return hasRole;
}
}
当我尝试登录我通过拦截网络流量,请参阅:
- 从我的自定义登录表单发送用户名,密码,后记得我
j_spring_security_check - 从应用程序/管理/安全网页A
不过,我从来没有被重定向到给定的刚刚登录的用户类型正确的页面,永远困在登录页面。
当进入重定向URL手动一切工作正常,我正常登录。 在我看来,安全设置正确,但是重定向是不工作的。
在这个问题上的任何帮助将不胜感激。
