[英]Spring Impersonation SwitchUserFilter Not Working | Filter is not adding to spring security chain
[英]Spring Security SwitchUserFilter exitUserUrl ignored?
我在spring security的SwitchUserFilter
上遇到問題。 當我以ADMIN角色登錄時,可以切換用戶並再次返回。 問題是,當第二次切換用戶時,我似乎無法切換回去。 當我直接在瀏覽器中轉到/ secured / switch / back時,這會顯示在我的日志中。
[FilterChainProxy] : /secured/admin at position 1 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
...
[AbstractSecurityInterceptor] : Secure object: FilterInvocation: URL: /secured/admin; Attributes: [hasRole('ADMIN')]
[AbstractSecurityInterceptor] : Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@99f3cebe: Principal: harry [OTHER]; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 756CEC9064C2B1B4D788624786F26137; Granted Authorities: OTHER, Switch User Authority [ROLE_PREVIOUS_ADMINISTRATOR,org.springframework.security.authentication.UsernamePasswordAuthenticationToken@6b846d6c: Principal: max [ADMIN]; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe9938: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 26B09EEF635C1758BE96B86AB6354434; Granted Authorities: ADMIN]
[AffirmativeBased] : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@3e35ec54, returned: -1
[ExceptionTranslationFilter] : Access is denied (user is not anonymous); delegating to AccessDeniedHandler
通常,當用戶使用配置的/secured/switch/back
url /secured/switch/back
, FilterChainProxy
開始過濾對url / secured / switch / back的請求。 但是,第二次將該URL更改為/ secured / admin並拒絕了權限。
有人知道這里可能會發生什么嗎?
我有以下配置。
<beans:bean id="switchUserProcessingFilter"
class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
<beans:property name="userDetailsService" ref="org.example.CustomUserDetailsService"/>
<beans:property name="switchUserUrl" value="/secured/admin/switch/user" />
<beans:property name="exitUserUrl" value="/secured/switch/back" />
<beans:property name="usernameParameter" value="username" />
<beans:property name="successHandler" ref="RedirectingAuthenticationSuccessHandler" />
</beans:bean>
<beans:bean id="authenticationSuccessHandler" class="org.example.RedirectingAuthenticationSuccessHandler" />
<http use-expressions="true" access-denied-page="/secured/access/denied" >
<custom-filter ref="switchUserProcessingFilter" position="SWITCH_USER_FILTER" />
<intercept-url pattern="/secured/login" access="permitAll()" />
<intercept-url pattern="/secured/login/auth" access="permitAll()" />
<intercept-url pattern="/secured/switch/back" access="hasAnyRole('ADMIN', 'OTHER')" />
<intercept-url pattern="/secured/admin/**" access="hasRole('ADMIN')" />
<intercept-url pattern="/secured/other/**" access="hasRole('OTHER')" />
<form-login
login-page='/secured/login'
login-processing-url="/secured/login/auth"
authentication-success-handler-ref="authenticationSuccessHandler"
username-parameter="username"
password-parameter="password"
/>
<logout logout-url="/secured/logout" logout-success-url="/secured/login" />
和成功經理
public class RedirectingAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
private static final Logger logger = LoggerFactory.getLogger(RedirectingAuthenticationSuccessHandler.class);
private static final RoleBasedRedirectStrategy redirectHandler = new RoleBasedRedirectStrategy();
/*
* Redirect request based on user role.
*
* For example:
* Role ADMIN redirects to /secured/admin
* Role OTHER redirects to /secured/other
*/
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws ServletException, IOException {
User user = (User) authentication.getPrincipal();
logger.info("Authentication successful for {}", user);
redirectHandler.handleRedirect(request, response, user);
}
}
從問題注釋中提取:
您確定您的
redirectHandler
沒有發送永久重定向(301)嗎?
客戶端可以緩存永久重定向。 因此,可能沒有對/secured/switch/back
實際第二個請求,它直接轉到了先前解析的成功URL /secured/admin
(這將導致訪問被拒絕 (403),因為您仍然以OTHER
身份登錄)。
順便說一下,有一種發送臨時(302)重定向的方法 (也由Spring的DefaultRedirectStrategy使用 ):
response.sendRedirect(targetUrl);
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.