Spring security + sendRedirect 不起作用

Question

目前我的 spring-security.xml 看起来像这样：

<global-method-security pre-post-annotations="enabled" />

    <http pattern="/login" security="none"/>
    <http pattern="/assets/**" security="none"/>

    <http auto-config="false" entry-point-ref="authenticationEntryPoint" disable-url-rewriting="true">
        <intercept-url pattern="/**" access="ROLE_USER"/>
        <intercept-url pattern="/admin/**" access="ROLE_ADMIN"/>
        <intercept-url pattern="/tadmin/**" access="ROLE_TENANT_ADMIN"/>
        <form-login login-page="/login" authentication-success-handler-ref="authenticationSuccessHandler" authentication-failure-url="/login?error"/>
        <logout logout-url="/logout" logout-success-url="/login"/>
        <remember-me/>
    </http>

    <beans:bean id="authenticationSuccessHandler" class="com.dj.LoginSuccessHandler">
        <beans:property name="useReferer" value="true"/>
    </beans:bean>

    <beans:bean id="authenticationEntryPoint"
        class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <beans:property name="loginFormUrl" value="/login" />
    </beans:bean>

    <authentication-manager alias="authenticationManager">
        <authentication-provider>
            <!-- <password-encoder hash="md5"/> -->
            <user-service>
                <user name="user" password="123" authorities="ROLE_USER"/>
                <user name="admin" password="123" authorities="ROLE_ADMIN,ROLE_USER"/>
                <user name="tadmin" password="123" authorities="ROLE_TENANT_ADMIN,ROLE_USER"/>
            </user-service>
        </authentication-provider>
    </authentication-manager>

我的自定义 AuthenticationSuccessHandler：

package com.dj;

import java.io.IOException;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;

import com.dj.UserRole;

public class LoginSuccessHandler extends
    SavedRequestAwareAuthenticationSuccessHandler {
    // getters and setters for injected services

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request,
        HttpServletResponse response, Authentication authentication) {

    try {
        String redirectUrl = "/login";
        if (hasRole(authentication, UserRole.ROLE_ADMIN)) {
        redirectUrl = "/app/admin/secure";
        } else if (hasRole(authentication, UserRole.ROLE_TENANT_ADMIN)) {
        redirectUrl = "/app/tadmin/secure";
        } else if (hasRole(authentication, UserRole.ROLE_USER)) {
        redirectUrl = "/app/USER/";
        }
        response.sendRedirect(redirectUrl);
    } catch (IOException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
    }

    /**
     * Check if a role is present in the authorities of current user
     * 
     * @param authorities
     *            all authorities assigned to current user
     * @param role
     *            required authority
     * @return true if role is present in list of authorities assigned to
     *         current user, false otherwise
     */
    private boolean hasRole(Authentication auth, UserRole role) {
    boolean hasRole = false;
    for (GrantedAuthority grantedAuthority : auth.getAuthorities()) {
        hasRole = grantedAuthority.getAuthority().equals(role.name());
        if (hasRole)
        break;
    }
    return hasRole;
    }
}

当我尝试登录时，我可以通过拦截网络流量看到：

1. 来自我的自定义登录表单的 POST 发送用户名、密码，请记住我到 j_spring_security_check
2. 来自 app/admin/secure 页面的 GET

但是，鉴于刚刚登录的用户类型，我永远不会被重定向到正确的页面，永远停留在登录页面上。

手动输入重定向 url 时一切正常，并且我已正确登录。 在我看来，安全设置正确，但是重定向不起作用。

我们将不胜感激。

Answer 1

您的intercept-url 声明顺序错误。你需要把最具体的放在第一位。 /** 在顶部，所以它总是匹配的。它应该是列表中的最后一个。

您应该能够在调试日志中跟踪成功登录和随后的拒绝访问异常。