【发布时间】:2017-06-09 03:32:58
【问题描述】:
当登录用户的会话到期时,我需要重定向到登录页面。 但是,该功能也可以作为匿名用户(即未登录的用户)访问。
每个人都可以访问“搜索地址”功能,这意味着登录用户和匿名用户(用户未登录)......
所以要求是这样的,当用户登录并执行搜索时,如果会话已经过期,它应该重定向,但是只要明确说明,如果我们不登录(即匿名),相同的搜索应该可以工作。
匿名用户在技术上已登录,因此他们也创建了一个会话,但是他们不会手动输入用户名/密码来登录,而不是登录用户
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:http security="none"
pattern="^/(login\.jsp|customSkin|openlayers|images|js)[/\?].*$"
request-matcher="regex"/>
<security:http entry-point-ref="http403ForbiddenEntryPoint">
<security:anonymous enabled="true" granted-authority="ROLE_GENERIC" />
<security:custom-filter position="FORM_LOGIN_FILTER" ref="formLoginFilter"/>
<security:custom-filter position="PRE_AUTH_FILTER" ref="PreAuthenticationFilter"/>
<!-- <security:logout logout-success-url="/loginUI.jsp" /> -->
<security:logout logout-url="/logout" success-handler-ref="LogoutSuccessHandler" />
<security:session-management session-authentication-strategy-ref="sessionAuthenticationStrategy"/>
<!-- SMES Interceptors -->
<security:intercept-url pattern="/Mark**" access="ROLE_ABC_OSGV" />
<security:intercept-url pattern="/abc/admin/**" access="ROLE_ABC_OSGV" />
<security:intercept-url pattern="/abc/edit/**" access="ROLE_ABC_OSGV,ROLE_ABC_REGISTERED_USER" />
<security:intercept-url pattern="/abclookup/**" access="ROLE_ABC_OSGV,ROLE_ABC_REGISTERED_USER,ROLE_GENERIC,ROLE_ADMIN,ROLE_EDIT,ROLE_ABC_ADMIN,ROLE_ABC_HCA" />
<security:intercept-url pattern="/general/**" access=
"ROLE_ABC,
ROLE_GENERIC,
ROLE_ADMIN,
ROLE_ABC_EXPORT,
ROLE_EDIT,
ROLE_ABC,
ROLE_ABC_TPC,
ROLE_ABC_VMT,
ROLE_ABC_S,
ROLE_ABC_DATA_GENERIC,
ROLE_ABC_DATA_ADMIN,
ROLE_ABC_OSGV,
ROLE_ABC_REGISTERED_USER,
ROLE_ABC_ADMIN,
ROLE_ABC_HCA,
ROLE_ABC_NAMES" />
<!-- SMES Interceptors -->
<security:intercept-url pattern="/vicnames/edit/**" access="ROLE_ABC_ADMIN,ROLE_ABC_HCA" />
<security:intercept-url pattern="/vicnames/admin/**" access="ROLE_ABC_ADMIN" />
<!-- LASSI Interceptors -->
<security:intercept-url pattern="/edit/**" access="ROLE_ADMIN,ROLE_EDIT" />
<security:intercept-url pattern="/broadcast/save**" access="ROLE_EDIT" />
<security:intercept-url pattern="/edmbooking/admin/**" access="ROLE_ABC_BOOKING_ADMIN" />
<security:intercept-url pattern="/adminUdateLogicaLabels**" access="ROLE_ADMIN,ROLE_EDIT" />
<security:intercept-url pattern="/**" access=
"ROLE_DQA,
ROLE_GENERIC,
ROLE_ADMIN,
ROLE_DQA_EXPORT,
ROLE_EDIT,
ROLE_APS,
ROLE_ABC_TPC,
ROLE_ABC_VMT,
ROLE_ABC_TEST,
ROLE_ABC_DATA_GENERIC,
ROLE_ABC_DATA_ADMIN,
ROLE_ABC_OSGV,
ROLE_ABC_REGISTERED_USER,
ROLE_ABC_ADMIN,
ROLE_ABC_HCA,
ROLE_ABC_NAMES" />
<security:access-denied-handler ref="accessDeniedHandler"/>
</security:http>
<bean id="LogoutSuccessHandler"
class="LogoutHandlerImpl">
</bean>
<bean id="http403ForbiddenEntryPoint"
class="CustomHttp403ForbiddenEntryPoint">
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="preAuthenticationProvider" />
<security:authentication-provider ref="myProfileAuthenticationProvider" />
</security:authentication-manager>
<bean id="preAuthenticationFilter" class="PreAuthenticatedProcessingFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="formLoginFilter" class="UsernamePasswordAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationSuccessHandler" ref = "authenticationSuccessHandler"/>
<property name="authenticationFailureHandler" ref = "authenticationFailureHandler" />
</bean>
<bean id="authenticationSuccessHandler"
class="AuthenticationSuccessHandlerImpl">
<!--<property name="defaultTargetUrl" value="/login.jsp"/>-->
<property name="alwaysUseDefaultTargetUrl" value="true" />
</bean>
<bean id="authenticationFailureHandler"
class="AuthenticationFailureHandler">
<!-- <property name="defaultFailureUrl" value="/sessionTimeout.jsp?login_error=true"/> -->
<property name="defaultFailureUrl" value="/login.jsp?login_error=true"/>
</bean>
<bean id="preAuthenticationProvider"
class="PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService" ref="lpreAuthenticatedUserDetailsService"/>
</bean>
<bean id="lpreAuthenticatedUserDetailsService" class="somepreauthenticateduserdetailsservice"/>
<bean id="myProfileAuthenticationProvider"
class="com.test.AuthenticationProvider">
<property name="serviceInvoker" ref="authenticationServiceInvoker" />
<property name="roleMapping">
<map>
<entry key="ABC_DQA" value="ROLE_DQA" />
<entry key="ABC_APS" value="ROLE_APS" />
<entry key="ABC_EDIT" value="ROLE_EDIT" />
<entry key="ABC_ADMINISTRATOR" value="ROLE_ADMIN" />
<entry key="ABC_GENERIC" value="ROLE_GENERIC" />
<entry key="ABC_DQA_EXPORT" value="ROLE_DQA_EXPORT" />
<entry key="ABC_FOH" value="ROLE_ABC_FOH" />
<entry key="ABC_TPC" value="ROLE_ABC_TPC" />
<entry key="ABC_VMT" value="ROLE_ABC_VMT" />
<entry key="ABC_SPEAR" value="ROLE_ABC_TEST" />
<entry key="ABC_LANDATA_GENERIC" value="ROLE_ABC_DATA_GENERIC" />
<entry key="ABC_LANDATA_ADMIN" value="ROLE_ABC_DATA_ADMIN" />
<entry key="ABC_OSGV" value="ROLE_ABC_OSGV" />
<entry key="ABC_Registered_Users" value="ROLE_ABC_REGISTERED_USER" />
<entry key="ABC_ADMINISTRATOR_ROLE" value="ROLE_ABC_ADMIN" />
<entry key="ABC_HISTORIAN_ROLE" value="ROLE_ABC_HCA" />
<entry key="ABC_PUBLIC_ROLE" value="ROLE_ABC_NAMES" />
<entry key="ABC_BOOKING_ADMIN" value="ROLE_EDM_BOOKING_ADMIN" />
</map>
</property>
</bean>
<bean id="accessDeniedHandler"
class="someaccessdeniedhandler">
<property name="errorPage" value="/login.jsp?access_denied=true"/>
</bean>
<bean id="authenticationServiceInvoker"
class="com.test.AuthenticationServiceInvoker" />
<bean id="sessionAuthenticationStrategy" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<constructor-arg name="sessionRegistry" ref="sessionRegistry"/>
<property name="maximumSessions" value="1"/>
</bean>
<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/>
</beans>
public class CustomHttp403ForbiddenEntryPoint implements AuthenticationEntryPoint {
private static final Log logger = LogFactory.getLog(Http403ForbiddenEntryPoint.class);
/**
* Always returns a 403 error code to the client.
*/
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException arg2) throws IOException,
ServletException {
if (logger.isDebugEnabled()) {
logger.debug("Pre-authenticated entry point called. Rejecting access");
}
HttpServletResponse httpResponse = (HttpServletResponse) response;
if (request.getUserPrincipal() == null && request.getContentType() != null && request.getContentType().toLowerCase().indexOf("multipart/form-data") > -1 ) {
returnJSSCript(request, response, "{\"sessionTimeout\":\"true\"}");
}
else {
httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "Access Denied");
}
}
private void returnJSSCript(HttpServletRequest req, HttpServletResponse response, String msg){
response.setContentType("text/html");
try {
String eventName = "sessionTimeout";
PrintWriter out = response.getWriter();
out.println("<script type=\"text/javascript\">");
out.println("parent.fireEvent('" + eventName + "','" + msg + "');");
out.println("</script>");
}
catch (IOException e) {
e.printStackTrace();
}
}
}
您能否告诉我,当用户会话过期时,我们如何重定向到登录页面,而不会破坏允许匿名用户仍然在 Spring Security 中执行搜索的搜索功能。
干杯, 技术XX
【问题讨论】:
-
我们有带有请求映射“/general/search.json”的spring后端。这是在按钮单击时从前端调用的。
-
Spring 安全配置有一个拦截器模式“/**”,它将照顾具有所有角色的用户,包括角色通用。
标签: spring-security