我正在尝试创建无状态安全性,其中 JWT 令牌存储在 Cookie 而不是 SESSION 中。
问题是如果没有会话SavedRequestAwareAuthenticationSuccessHandler不知道原始请求(在弹出身份验证页面之前)。所以在行77 here https://github.com/spring-projects/spring-security/blob/master/web/src/main/java/org/springframework/security/web/authentication/SavedRequestAwareAuthenticationSuccessHandler.java#L77已保存的请求为空。
这看起来很奇怪,我想我做错了什么。如何允许页面重定向到无状态会话登录后请求的原始 URL?
-
我禁用会话
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
....formLogin().loginPage("/login").permitAll().successHandler(authenticationSuccessHandler)
}
-
然后,我创建一个自定义 AuthenticationSuccessHandler,它扩展了 SavedRequestAwareAuthenticationSuccessHandler。我将其注册为 successHandler(见上图)。
@Component
public class JwtCookieAuthenticationSuccessHandler extends
SavedRequestAwareAuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication)
throws IOException, ServletException {
Cookie cookie = ... CREATE A COOKIE WITH A JWT
response.addCookie(cookie);
super.onAuthenticationSuccess(request, response, authentication);
}
}
编辑:
这是我的依赖项:
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>1.5.2.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
</dependency>
</dependencies>
在您的配置中,添加:
.requestCache().requestCache(new CookieRequestCache())
完整示例:
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().csrfTokenRepository(new CookieCsrfTokenRepository())
.and()
.authorizeRequests()
.antMatchers("/about").permitAll()
.antMatchers("/accounts").hasRole("ADMINISTRATOR")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.requestCache().requestCache(new CookieRequestCache())
.and()
.logout()
.permitAll()
.and()
.sessionManagement()
.maximumSessions(1)
.sessionRegistry(sessionRegistry())
.and()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.securityContext()
.securityContextRepository(securityContextRepository);
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)
