java - Spring Security 自定义 AuthenticationSuccessHandler 被忽略

Question

我正在使用 Spring boot + data rest 设置纯 json rest 服务，现在无法让我的自定义身份验证成功处理程序(以及身份验证失败处理程序)来处理登录响应。登录本身可以正常工作，但服务器响应状态为 302 的成功登录而没有重定向 url(这会触发错误，例如在 javascript 的 XMLHttpRequest 中)并完全忽略我在配置中设置的处理程序。

网络安全配置:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, proxyTargetClass = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired
private UserDetailsService userDetailsService;

@Autowired
private RESTAuthenticationEntryPoint authenticationEntryPoint;
@Autowired
private RESTAuthenticationFailureHandler authenticationFailureHandler;
@Autowired
private RESTAuthenticationSuccessHandler authenticationSuccessHandler;
@Autowired
private RESTLogoutSuccessHandler logoutSuccessHandler;

@Bean
public BCryptPasswordEncoder bCryptPasswordEncoder() {
    return new BCryptPasswordEncoder();
}

@Override
protected void configure(HttpSecurity http) throws Exception {

    http
        .cors();

    http
        .exceptionHandling()
        .authenticationEntryPoint(authenticationEntryPoint);

    http
        .formLogin()
        .permitAll()
        .loginProcessingUrl("/login")
        .successHandler(authenticationSuccessHandler)
        .failureHandler(authenticationFailureHandler);

    http
        .logout()
        .permitAll()
        .logoutUrl("/logout")
        .logoutSuccessHandler(logoutSuccessHandler);

    http
        .sessionManagement()
        .maximumSessions(1);

    http.addFilterAt(getAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
    http.addFilterAfter(new CsrfTokenResponseHeaderBindingFilter(), CsrfFilter.class);

    http.authorizeRequests().anyRequest().authenticated();
}

@Bean
public CorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.addAllowedOrigin("*");
    configuration.setAllowCredentials(true);
    configuration.setExposedHeaders(Arrays.asList("X-CSRF-TOKEN"));
       configuration.setAllowedHeaders(Arrays.asList("X-CSRF-TOKEN", "content-type"));
    configuration.setAllowedMethods(Arrays.asList("GET","POST","OPTIONS"));
    configuration.setMaxAge(3600L);
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
    return source;
}

@Bean
public PermissionEvaluator customPermissionEvaluator() {
    return new CustomPermissionEvaluator();
}

protected CustomUsernamePasswordAuthenticationFilter getAuthenticationFilter() {
    CustomUsernamePasswordAuthenticationFilter authFilter = new CustomUsernamePasswordAuthenticationFilter();
    try { 
        authFilter.setAuthenticationManager(this.authenticationManagerBean());
    } catch (Exception e) {
        e.printStackTrace();
    }
    return authFilter;
}

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder());
}
}

AuthenticationSuccessHandler:

@Component
public class RESTAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {

@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
                                    Authentication authentication) throws IOException, ServletException {
    response.setStatus(HttpServletResponse.SC_OK);
    PrintWriter writer = response.getWriter();
    writer.write("Login OK");
    writer.flush();        
    clearAuthenticationAttributes(request);
}
}

CustomUsernamePasswordAuthenticationFilter 只是从 json 中读取用户名和密码，它不会覆盖 filter() 方法:

public class CustomUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter {

private final Logger log = LoggerFactory.getLogger(this.getClass());

private boolean postOnly = true;

@Override
public Authentication attemptAuthentication(HttpServletRequest request,
        HttpServletResponse response) throws AuthenticationException {

    if (postOnly && !request.getMethod().equals("POST")) {
        throw new AuthenticationServiceException(
                "Authentication method not supported: " + request.getMethod());
    }

    LoginRequest loginRequest;
    try {
        BufferedReader reader = request.getReader();
        StringBuffer sb = new StringBuffer();
        String line = null;
        while ((line = reader.readLine()) != null){
            sb.append(line);
        }
        ObjectMapper mapper = new ObjectMapper();
        loginRequest = mapper.readValue(sb.toString(), LoginRequest.class);
    } catch (Exception ex) {
        throw new AuthenticationServiceException("Unable to read login credentials.");
    }

    UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
            loginRequest.getEmail(), loginRequest.getPassword());

    setDetails(request, authRequest);
    return this.getAuthenticationManager().authenticate(authRequest);
}
}

在调试日志中，我可以看到有一个奇怪的 RequestAwareAuthenticationSuccessHandler，它在登录处理程序之后获取请求，并且只是将默认重定向传递给“/”:

2016-12-28 15:44:02.358 DEBUG 6194 --- [nio-8080-exec-7] o.s.s.authentication.ProviderManager     : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2016-12-28 15:44:02.358 DEBUG 6194 --- [nio-8080-exec-7] o.s.orm.jpa.JpaTransactionManager        : Creating new transaction with name [xxx.server.service.impl.UserDetailsServiceImpl.loadUserByUsername]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT,readOnly; ''
2016-12-28 15:44:02.358 DEBUG 6194 --- [nio-8080-exec-7] o.s.orm.jpa.JpaTransactionManager        : Opened new EntityManager [org.hibernate.jpa.internal.EntityManagerImpl@908810e] for JPA transaction
2016-12-28 15:44:02.358 DEBUG 6194 --- [nio-8080-exec-7] o.s.jdbc.datasource.DataSourceUtils      : Setting JDBC Connection [ProxyConnection[PooledConnection[org.postgresql.jdbc.PgConnection@4d362a0f]]] read-only
2016-12-28 15:44:02.358 DEBUG 6194 --- [nio-8080-exec-7] o.s.orm.jpa.JpaTransactionManager        : Exposing JPA transaction as JDBC transaction [org.springframework.orm.jpa.vendor.HibernateJpaDialect$HibernateConnectionHandle@7cf6e5f]
[...]
2016-12-28 15:44:02.380 DEBUG 6194 --- [nio-8080-exec-7] o.s.orm.jpa.JpaTransactionManager        : Initiating transaction commit
2016-12-28 15:44:02.380 DEBUG 6194 --- [nio-8080-exec-7] o.s.orm.jpa.JpaTransactionManager        : Committing JPA transaction on EntityManager [org.hibernate.jpa.internal.EntityManagerImpl@908810e]
2016-12-28 15:44:02.381 DEBUG 6194 --- [nio-8080-exec-7] o.s.jdbc.datasource.DataSourceUtils      : Resetting read-only flag of JDBC Connection [ProxyConnection[PooledConnection[org.postgresql.jdbc.PgConnection@4d362a0f]]]
2016-12-28 15:44:02.381 DEBUG 6194 --- [nio-8080-exec-7] o.s.orm.jpa.JpaTransactionManager        : Closing JPA EntityManager [org.hibernate.jpa.internal.EntityManagerImpl@908810e] after transaction
2016-12-28 15:44:02.381 DEBUG 6194 --- [nio-8080-exec-7] o.s.orm.jpa.EntityManagerFactoryUtils    : Closing JPA EntityManager
2016-12-28 15:44:02.488 DEBUG 6194 --- [nio-8080-exec-7] RequestAwareAuthenticationSuccessHandler : Using default Url: /
2016-12-28 15:44:02.488 DEBUG 6194 --- [nio-8080-exec-7] o.s.s.web.DefaultRedirectStrategy        : Redirecting to '/'
2016-12-28 15:44:02.488 DEBUG 6194 --- [nio-8080-exec-7] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@273d8edd
2016-12-28 15:44:02.488 DEBUG 6194 --- [nio-8080-exec-7] w.c.HttpSessionSecurityContextRepository : SecurityContext 'org.springframework.security.core.context.SecurityContextImpl@faa222b9: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@faa222b9: Principal: org.springframework.security.core.userdetails.User@fa84ebb2: Username: hyriauser1@hyria-demo.tbd; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffed504: RemoteIpAddress: 127.0.0.1; SessionId: 1F3FF4A3203600AE56E3CB391BE96EFC; Granted Authorities: USER' stored to HttpSession: 'org.apache.catalina.session.StandardSessionFacade@692480d1
2016-12-28 15:44:02.488 DEBUG 6194 --- [nio-8080-exec-7] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed

Answer 1

http
        .formLogin()
        .permitAll()
        .loginProcessingUrl("/login")
        .successHandler(authenticationSuccessHandler)
        .failureHandler(authenticationFailureHandler);

您自己的 authenticationSuccessHandler 注入(inject)到 UsernamePasswordAuthenticationFilter，并添加扩展 UsernamePasswordAuthenticationFilter 而不是 的 CustomUsernamePasswordAuthenticationFilter用户名密码AuthenticationFilter

http.addFilterAt(getAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);

但是您自己的 CustomUsernamePasswordAuthenticationFilter 使用默认的成功处理程序。

protected CustomUsernamePasswordAuthenticationFilter getAuthenticationFilter() {
    CustomUsernamePasswordAuthenticationFilter authFilter = new CustomUsernamePasswordAuthenticationFilter();
    try { 
        authFilter.setAuthenticationManager(this.authenticationManagerBean());
    } catch (Exception e) {
        e.printStackTrace();
    }
    return authFilter;
}

我看不到您将成功处理程序注入(inject) CustomUsernamePasswordAuthenticationFilter 的任何代码。

您需要将成功处理程序添加到 CustomUsernamePasswordAuthenticationFilter。

authFilter.setAuthenticationManager(this.authenticationManagerBean());
// set handler           
authFilter.setAuthenticationSuccessHandler(authenticationSuccessHandler);       
authFilter.setAuthenticationFailureHandler(authenticationFailureHandler);