[英]use spring security to tell ajax requests where the login page is
I have some url secured with spring (configured through xml). 我有一些用弹簧固定的URL(通过xml配置)。 It works. 有用。 However when I try to hit that endpoint with an ajax request I get a 302 (found) response. 但是,当我尝试使用ajax请求命中该端点时,我得到302(找到)响应。 This redirects my ajax call to the login page (so I GET the html). 这会将我的ajax调用重定向到登录页面(所以我获取了html)。 However I'd like to get a 401 (unauthorized) response with the url of the login page available to the client application, so I can redirect the user there with javascript. 但是我希望得到一个401(未经授权的)响应,其中登录页面的URL可用于客户端应用程序,因此我可以使用javascript将用户重定向到那里。 This question seems to be the closest to what I want, but there's no example and it suggests changing the controller again. 这个问题似乎与我想要的最接近,但是没有例子,它建议再次更换控制器。 Is there no configuration in spring-security that will give me a 401 and a url (or some other sensible error message and the url of the login page)? spring-security中是否没有配置会给我401和url(或其他一些明智的错误消息和登录页面的URL)?
You can extend LoginUrlAuthenticationEntryPoint. 您可以扩展LoginUrlAuthenticationEntryPoint。 Here is my one: 这是我的一个:
package hu.progos.springutils;
// imports omitted
public class AjaxAwareLoginUrlAuthenticationEntryPoint extends LoginUrlAuthenticationEntryPoint {
public void commence(final HttpServletRequest request, final HttpServletResponse response, final AuthenticationException authException) throws IOException, ServletException {
if ("XMLHttpRequest".equals(request.getHeader("X-Requested-With"))) {
response.sendError(HttpServletResponse.SC_FORBIDDEN, "Access Denied");
} else {
super.commence(request, response, authException);
}
}
}
Then configure spring to use your implementation: 然后配置spring以使用您的实现:
<beans:bean id="authEntryPoint" class="hu.progos.springutils.AjaxAwareLoginUrlAuthenticationEntryPoint" scope="singleton>
<beans:property name="loginFormUrl" value="/login.html" />
</beans:bean>
<http entry-point-ref="authEntryPoint">
<!-- your settings here -->
</http>
There are a million ways to do this of course. 当然,有一百万种方法可以做到这一点。 But the short solution to your problem is this configuration snippet: 但是,您的问题的简短解决方案是此配置代码段:
<bean id="customAuthEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<property name="loginFormUrl" value="/your-custom-login" />
</bean>
I also take a step further and turn off the security auto-config so I can map the above entry point like so: 我还进一步关闭安全自动配置,以便我可以像这样映射上面的入口点:
<security:http auto-config="false" entry-point-ref="customAuthEntryPoint">
...
...
</security:http>
I also override a bunch of spring security classes to get the security model to do exactly what I want. 我还覆盖了一堆Spring安全类,以使安全模型完全符合我的要求。 It's a slippery slope, but it's nice having the control once it works the way you want it to. 这是一个很滑的斜坡,但是一旦它按照你想要的方式工作就很好。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.