如何在Spring Security中忽略请求参数

huangapple 未分类评论46阅读模式
标题翻译

how to ignore request parameters in spring security

问题

我想要使用以下配置实现AuthenticationFailureHandler

// 鉴权失败处理器
@Bean
public AuthenticationFailureHandler appAuthenticationFailureHandler() {

    ExceptionMappingAuthenticationFailureHandler failureHandler = new ExceptionMappingAuthenticationFailureHandler();
    Map<String, String> failureUrlMap = new HashMap<>();
    failureUrlMap.put(BadCredentialsException.class.getName(), "/login?error");
    failureUrlMap.put(AccountExpiredException.class.getName(), "/login?expired");
    failureUrlMap.put(LockedException.class.getName(), "/login?locked");
    failureUrlMap.put(DisabledException.class.getName(), "/login?disabled");
    failureHandler.setExceptionMappings(failureUrlMap);

    return failureHandler;

}

并且在SecurityConfiguration类中继承了WebSecurityConfigurerAdapter,我有:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
        .antMatchers("/register", "/confirm").permitAll()
            .anyRequest()
            .authenticated()
            .and()
            .formLogin()
            .loginPage("/login")
            // 用户名密码
            .usernameParameter("username")
            .passwordParameter("password")
            // 成功和失败处理器
            .successHandler(appAuthenticationSuccessHandler())
            .failureHandler(appAuthenticationFailureHandler())
            .permitAll()
            .and()
            .logout()
            .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
            .logoutSuccessUrl("/login?logout")
            .invalidateHttpSession(true)
            .clearAuthentication(true)
            .permitAll()
            .and()
            .exceptionHandling().accessDeniedHandler(accessDeniedHandler())
    ;
}

通过这样的配置,之前提到的内容不会重定向到相关的失败URL。但是,如果我移除:

.anyRequest()
.authenticated()

那么它会被重定向到相关的失败URL。但这不是良好的实践。现在的问题是,我如何配置configure()方法来忽略/login?request参数并相应地实现进一步的逻辑?

英文翻译

I want to implement AuthenticationFailureHandler with the following configuration:

// Auth failure handler
@Bean
public AuthenticationFailureHandler appAuthenticationFailureHandler() {

    ExceptionMappingAuthenticationFailureHandler failureHandler = new ExceptionMappingAuthenticationFailureHandler();
    Map&lt;String, String&gt; failureUrlMap = new HashMap&lt;&gt;();
    failureUrlMap.put(BadCredentialsException.class.getName(), &quot;/login?error&quot;);
    failureUrlMap.put(AccountExpiredException.class.getName(), &quot;/login?expired&quot;);
    failureUrlMap.put(LockedException.class.getName(), &quot;/login?locked&quot;);
    failureUrlMap.put(DisabledException.class.getName(), &quot;/login?disabled&quot;);
    failureHandler.setExceptionMappings(failureUrlMap);

    return failureHandler;

}

and in class SecurityConfiguration extends WebSecurityConfigurerAdapter I have:

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .antMatchers(&quot;/register&quot;, &quot;/confirm&quot;).permitAll()
                .anyRequest()
                .authenticated()
                .and()
                .formLogin()
                .loginPage(&quot;/login&quot;)
                // username password
                .usernameParameter(&quot;username&quot;)
                .passwordParameter(&quot;password&quot;)
                // success and failure handlers
                .successHandler(appAuthenticationSuccessHandler())
                .failureHandler(appAuthenticationFailureHandler())
                .permitAll()
                .and()
                .logout()
                .logoutRequestMatcher(new AntPathRequestMatcher(&quot;/logout&quot;))
                .logoutSuccessUrl(&quot;/login?logout&quot;)
                .invalidateHttpSession(true)
                .clearAuthentication(true)
                .permitAll()
                .and()
                .exceptionHandling().accessDeniedHandler(accessDeniedHandler())
        ;
    }

with this, all mentioned above is not redirecting to relevant failure URL, but if I remove

.anyRequest()
.authenticated()

then it is being redirected to relevant failure URL, but that is not good practice now the question is how I can configure the configure() to ignore /login?request parameter and implement further logic accordingly?

答案1

得分: 0

按我理解,问题是像“/login?.*”这样的网址只有在授权后才可访问。根据spring examples,您可以在配置文件中使用以下代码排除授权访问的路径:

@Override
public void configure(WebSecurity web) throws Exception {
    web
        .ignoring()
            .antMatchers("/resources/**");
}
英文翻译

As I understand, the issue is that urls like "/login?.*" are available only after authorization. According to spring examples, you can exclude paths from authorized access with the following code in Config file:

@Override
public void configure(WebSecurity web) throws Exception {
    web
        .ignoring()
            .antMatchers(&quot;/resources/**&quot;);
}

huangapple
  • 本文由 发表于 2020年3月16日 12:43:19
  • 转载请务必保留本文链接:https://java.coder-hub.com/60700435.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定