java - Spring Security 2 自定义身份验证提供程序不保存安全上下文

Question

我已将默认身份验证提供程序更改为自定义身份验证提供程序。

这是我的 AuthenticationProvider

public class CustomAuthenticationProvider implements AuthenticationProvider {

@Autowired
private ParamsProperties paramsProperties;  

@SuppressWarnings("unchecked")
public Authentication authenticate(Authentication authentication) throws AuthenticationException {

    //Check username and passwd
    String user = (String) authentication.getPrincipal();
    String pass = (String) authentication.getCredentials();
    if(StringUtils.isBlank(user) || StringUtils.isBlank(pass) ){
        throw new BadCredentialsException("Incorrect username/password");
    }

    //Create SSO
    SingleSignOnService service = new SingleSignOnService(paramsProperties.getServicesServer());
    try {
        //Check logged
        service.setUsername(authentication.getName());
        service.setPassword(authentication.getCredentials().toString());
        ClientResponse response = service.call();
        String result = response.getEntity(String.class);

        ObjectMapper mapper = new ObjectMapper();
        Map<String,Object> map = mapper.readValue(result, new TypeReference<Map<String,Object>>() {} );
        //Read code
        String code = (String)map.get("code");
        log.debug(" ** [Authenticate] Result: " + code );
        for (String s : (List<String>)map.get( "messages" ) ) {
            log.debug(" [Authenticate] Message: " + s );
        }

        if ( code.equals( "SESSION_CREATED" ) || code.equals( "SESSION_UPDATED" ) || code.equals( "SESSION_VERIFIED" ) ) {              
            UsernamePasswordAuthenticationToken tokenSSO = LoginHelper.getuserSringTokenFromAuthService(map);            
            return tokenSSO;                
        } else {
            return null;
        }
    } catch (Exception e) {
        e.printStackTrace();
        throw new AuthenticationServiceException( e.getMessage() );
    }
}


public boolean supports(Class authentication) {
    return authentication.equals(UsernamePasswordAuthenticationToken.class);
}

这是我的 security.xml

<http>
  <form-login default-target-url ="/Login.html" always-use-default-target="true" login-page="/Login.html" login-processing-url="/j_spring_security_check"
        authentication-failure-url="/Login.html" />  
  <http-basic />
  <logout logout-success-url="/Login.html" />
</http>

<beans:bean id="localeFilter" class="com.mycomp.comunes.server.spring.controller.login.MyLocaleFilter" lazy-init="true">
    <custom-filter position="LAST"/>
</beans:bean>  

<beans:bean id="authenticationProvider" class="com.indra.rfef.comunes.server.spring.manager.autenticacion.CustomAuthenticationProvider">
  <custom-authentication-provider />
</beans:bean>

它超越了我的 CustomAuthenticationProvider，并正确验证了用户。但是当返回类型为 UsernamePasswordAuthenticationToken 的 tokenSSO 时，它似乎没有将用户保存在安全上下文中，并且当我重定向用户时(在 的回调中) authenticate) 到 index.html，我被重定向回 Login.html。

为什么会这样？我是不是忘记了什么？

Answer 1

请修复您的配置:

<http>
    <intercept-url pattern="/Login*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>        
    <intercept-url pattern="/**" access="ROLE_USER"/>
    <form-login login-page="/Login.html" login-processing-url="/j_spring_security_check" authentication-failure-url="/Login.html" />  
    <http-basic />
    <logout logout-success-url="/Login.html" />
</http>

1. 删除 default-target-url ="/Login.html" .它在登录到同一登录页面后进行重定向。默认值为 / .
2. 在所有 URL 上添加安全性 <intercept-url pattern="/**" access="ROLE_USER"/>
3. 不要从登录页面删除匿名访问
4. 为什么需要 BasicAuthentication？如果不需要，请将其删除:<http-basic />