春季安全返回到登錄頁面登錄成功

Question

我SRING申請後有以下春季安全配置：

@Configuration 
@ComponentScan(value="org.webapp") 
@EnableWebSecurity 
public class SecurityConfig extends WebSecurityConfigurerAdapter { 

    @Autowired 
    private DataSource restDataSource; 

    @Autowired 
    public void configure(AuthenticationManagerBuilder auth) throws Exception { 
     auth 
      .jdbcAuthentication() 
      .dataSource(restDataSource) 
      .usersByUsernameQuery(getUserQuery()) 
      .authoritiesByUsernameQuery(getAuthoritiesQuery()); 
    } 

    protected void configure(HttpSecurity http) throws Exception { 
     http 
      .csrf() 
       .disable() 
      .authorizeRequests() 
       .antMatchers("/css/**", "/fonts/**", "/image/**", "/js/**").permitAll() 
       .anyRequest().authenticated() 
       .and() 
      .formLogin() 
       .loginPage("/spring/index").permitAll() 
       .loginProcessingUrl("/spring/login").permitAll() 
       .usernameParameter("login") 
       .passwordParameter("senha") 
       .successHandler(new CustomAuthenticationSuccessHandler()) 
       .failureHandler(new CustomAuthenticationFailureHandler()) 
       .and() 
      .logout() 
       .logoutUrl("/spring/logout") 
       .logoutSuccessUrl("/spring/index").permitAll(); 
    } 

    private String getUserQuery() { 
     return "SELECT login as username, senha as password " 
       + "FROM usuario " 
       + "WHERE login = ?"; 
    } 

    private String getAuthoritiesQuery() { 
     return "SELECT DISTINCT usuario.login as username, autorizacao.descricao as authority " 
       + "FROM usuario, autorizacao_usuario, autorizacao " 
       + "WHERE usuario.id = autorizacao_usuario.fk_usuario " 
       + "AND autorizacao.id = autorizacao_usuario.fk_autorizacao " 
       + "AND usuario.login = ? "; 
    } 

} 

但我有一個問題是：當我告知登錄credencials，系統返回到登錄頁面而不是目標頁面（/ spring/home）。我查看堆棧軌道，沒有顯示錯誤。

有人可以看到有什麼問題嗎？

UPDATE

CustomAuthenticationSuccessHandler

public class CustomAuthenticationSuccessHandler implements AuthenticationSuccessHandler { 

    @Override 
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication auth) throws IOException, ServletException { 
     System.out.println("CustomAuthenticationSuccessHandler"); 
     HttpSession session = request.getSession(); 
     SavedRequest savedReq = (SavedRequest) session.getAttribute(WebAttributes.ACCESS_DENIED_403); 
     if (savedReq == null) { 
      response.sendRedirect(request.getContextPath() + "/spring/home"); 
     } 
     else { 
      response.sendRedirect(savedReq.getRedirectUrl()); 
     } 
    } 

} 

CustomAuthenticationFailureHandler

public class CustomAuthenticationFailureHandler implements AuthenticationFailureHandler { 

    @Override 
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException auth) throws IOException, ServletException { 
     System.out.println("CustomAuthenticationFailureHandler"); 
     response.sendRedirect(request.getContextPath() + "/spring/erro-login"); 
    } 

} 

UPDATE 2

項目的完整的源代碼可以在這裏看到：https://github.com/klebermo/webapp1

Answer 1

的問題是（或可能）的目標錯誤頁面沒有被列爲「允許所有」網址：

@Override 
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException auth) throws IOException, ServletException { 
    System.out.println("CustomAuthenticationFailureHandler"); 
    response.sendRedirect(request.getContextPath() + "/spring/erro-login"); 
} 

在您重定向到"/spring/erro-login"認證失敗 - 然而，這不是在你的安全螞蟻匹配上市，所以這個URL得到由抓：

.anyRequest().authenticated() 

由於未經過身份驗證，您無法訪問該URL，因此Spring會將您重定向到登錄頁面。

嘗試更新到：

 .authorizeRequests() 
      .antMatchers("/spring/erro-login").permitAll() 
      .antMatchers("/css/**", "/fonts/**", "/image/**", "/js/**").permitAll() 
      .anyRequest().authenticated() 

Answer 2

看起來你錯過了你的formLogin配置添加.defaultSuccessUrl("/spring/home")。

而且如果我是你，會隨時添加.failureUrl("/login?login_error=1")只是爲了確保有關被記錄或故障發生後在登錄時。