Spring Security SavedRequestAwareAuthenticationSuccessHandler类

最新推荐文章于 2023-12-28 15:52:32 发布
最新推荐文章于 2023-12-28 15:52:32 发布
阅读量2.5k 收藏 4
点赞数
分类专栏: spring boot spring 文章标签: spring java java-ee spring security
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/fggdgh/article/details/125025287
版权

SavedRequestAwareAuthenticationSuccessHandler类是SpringSecurity提供的登录成功处理器,登录成功后该处理器会从Session中获取认证之前访问的url,然后将用户重定向到该url地址,

  1. 设置认证之前的url

    RequestCache.java

    	/**
	 * Caches the current request for later retrieval, once authentication has taken
	 * place. Used by <tt>ExceptionTranslationFilter</tt>.
	 * @param request the request to be stored
	 */
	void saveRequest(HttpServletRequest request, HttpServletResponse response);

	/**
	 * Returns the saved request, leaving it cached.
	 * @param request the current request
	 * @return the saved request which was previously cached, or null if there is none.
	 */
	SavedRequest getRequest(HttpServletRequest request, HttpServletResponse response);

	/**
	 * Returns a wrapper around the saved request, if it matches the current request. The
	 * saved request should be removed from the cache.
	 * @param request
	 * @param response
	 * @return the wrapped save request, if it matches the original, or null if there is
	 * no cached request or it doesn't match.
	 */
	HttpServletRequest getMatchingRequest(HttpServletRequest request, HttpServletResponse response);

	/**
	 * Removes the cached request.
	 * @param request the current request, allowing access to the cache.
	 */
	void removeRequest(HttpServletRequest request, HttpServletResponse response);

    在spring security中RequestCache有三个默认实现,HttpSessionRequestCache通过session存储前一次请求信息、NullRequestCache一般禁用session的情况下使用,不会存储前一次请求信息、CookieRequestCache使用cookie存储前一次请求信息。

    ExceptionTranslationFilter.java

    private void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
			throws IOException, ServletException {
		try {
			chain.doFilter(request, response);
		}
		catch (IOException ex) {
			throw ex;
		}
		catch (Exception ex) {
			// Try to extract a SpringSecurityException from the stacktrace
			Throwable[] causeChain = this.throwableAnalyzer.determineCauseChain(ex);
			RuntimeException securityException = (AuthenticationException) this.throwableAnalyzer
					.getFirstThrowableOfType(AuthenticationException.class, causeChain);
			if (securityException == null) {
				securityException = (AccessDeniedException) this.throwableAnalyzer
						.getFirstThrowableOfType(AccessDeniedException.class, causeChain);
			}
			if (securityException == null) {
				rethrow(ex);
			}
			if (response.isCommitted()) {
				throw new ServletException("Unable to handle the Spring Security Exception "
						+ "because the response is already committed.", ex);
			}
			handleSpringSecurityException(request, response, chain, securityException);
		}
	}

protected void sendStartAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
			AuthenticationException reason) throws ServletException, IOException {
		// SEC-112: Clear the SecurityContextHolder's Authentication, as the
		// existing Authentication is no longer considered valid
		SecurityContext context = SecurityContextHolder.createEmptyContext();
		SecurityContextHolder.setContext(context);
		this.requestCache.saveRequest(request, response);
		this.authenticationEntryPoint.commence(request, response, reason);
	}

    ExceptionTranslationFilter在捕获身份认证异常之后会调用requestCache将此次请求存储,以便登录成功后由SavedRequestAwareAuthenticationSuccessHandler调用此次请求信息,并重定向到url。

  2. 重定向到认证前url

    SavedRequestAwareAuthenticationSuccessHandler.java

    private RequestCache requestCache = new HttpSessionRequestCache();

	@Override
	public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
			Authentication authentication) throws ServletException, IOException {
		SavedRequest savedRequest = this.requestCache.getRequest(request, response);
		if (savedRequest == null) {
			super.onAuthenticationSuccess(request, response, authentication);
			return;
		}
		String targetUrlParameter = getTargetUrlParameter();
		if (isAlwaysUseDefaultTargetUrl()
				|| (targetUrlParameter != null && StringUtils.hasText(request.getParameter(targetUrlParameter)))) {
			this.requestCache.removeRequest(request, response);
			super.onAuthenticationSuccess(request, response, authentication);
			return;
		}
		clearAuthenticationAttributes(request);
		// Use the DefaultSavedRequest URL
		String targetUrl = savedRequest.getRedirectUrl();
		getRedirectStrategy().sendRedirect(request, response, targetUrl);
	}

    在SavedRequestAwareAuthenticationSuccessHandler源码中有一个RequestCache属性,在登录成功后会调用RequestCache.getRequest获取前一次请求信息然后重定向到该url。

  3. 自定义RequestCache

    public class RedisRequestCache implements RequestCache {


    static final String SAVED_REQUEST = "SPRING_SECURITY_SAVED_REQUEST";

    protected final Log logger = LogFactory.getLog(this.getClass());

    private PortResolver portResolver = new PortResolverImpl();

    private RequestMatcher requestMatcher = AnyRequestMatcher.INSTANCE;

    private String sessionAttrName = SAVED_REQUEST;

    @Autowired
    private RedisCache redisCache;

    /**
     * Stores the current request, provided the configuration properties allow it.
     */
    @Override
    public void saveRequest(HttpServletRequest request, HttpServletResponse response) {
        if (!this.requestMatcher.matches(request)) {
            if (this.logger.isTraceEnabled()) {
                this.logger.trace(
                        LogMessage.format("Did not save request since it did not match [%s]", this.requestMatcher));
            }
            return;
        }
        String redirectUrl = UrlUtils.buildFullRequestUrl(request);
        // DefaultSavedRequest savedRequest = new DefaultSavedRequest(request, this.portResolver);
        redisCache.setCacheObject(this.sessionAttrName, encodeCookie(redirectUrl));
    }

    @Override
    public SavedRequest getRequest(HttpServletRequest currentRequest, HttpServletResponse response) {
        String originalURI = redisCache.getCacheObject(this.sessionAttrName);
        if (StringUtils.isEmpty(originalURI)) {
            return null;
        }
        // var str = JSON.toJSONString(originalURI);
        UriComponents uriComponents = UriComponentsBuilder.fromUriString(decodeCookie(originalURI)).build();
        DefaultSavedRequest.Builder builder = new DefaultSavedRequest.Builder();
        int port = getPort(uriComponents);
        return builder.setScheme(uriComponents.getScheme()).setServerName(uriComponents.getHost())
                .setRequestURI(uriComponents.getPath()).setQueryString(uriComponents.getQuery()).setServerPort(port)
                .setMethod(currentRequest.getMethod()).build();
        // return JSON.parseObject(str, SavedRequest.class);
        // return (SavedRequest) savedRequest;
    }

    @Override
    public void removeRequest(HttpServletRequest currentRequest, HttpServletResponse response) {
        redisCache.deleteObject(this.sessionAttrName);
    }

    @Override
    public HttpServletRequest getMatchingRequest(HttpServletRequest request, HttpServletResponse response) {
        SavedRequest saved = getRequest(request, response);
        if (saved == null) {
            this.logger.trace("No saved request");
            return null;
        }
        if (!matchesSavedRequest(request, saved)) {
            if (this.logger.isTraceEnabled()) {
                this.logger.trace(LogMessage.format("Did not match request %s to the saved one %s",
                        UrlUtils.buildRequestUrl(request), saved));
            }
            return null;
        }
        removeRequest(request, response);
        if (this.logger.isDebugEnabled()) {
            this.logger.debug(LogMessage.format("Loaded matching saved request %s", saved.getRedirectUrl()));
        }
        return request;
    }

    private boolean matchesSavedRequest(HttpServletRequest request, SavedRequest savedRequest) {
        if (savedRequest instanceof DefaultSavedRequest) {
            DefaultSavedRequest defaultSavedRequest = (DefaultSavedRequest) savedRequest;
            return defaultSavedRequest.doesRequestMatch(request, this.portResolver);
        }
        String currentUrl = UrlUtils.buildFullRequestUrl(request);
        return savedRequest.getRedirectUrl().equals(currentUrl);
    }

    private int getPort(UriComponents uriComponents) {
        int port = uriComponents.getPort();
        if (port != -1) {
            return port;
        }
        if ("https".equalsIgnoreCase(uriComponents.getScheme())) {
            return 443;
        }
        return 80;
    }

    private static String encodeCookie(String cookieValue) {
        return Base64.getEncoder().encodeToString(cookieValue.getBytes());
    }

    private static String decodeCookie(String encodedCookieValue) {
        return new String(Base64.getDecoder().decode(encodedCookieValue.getBytes()));
    }

    public void setRequestMatcher(RequestMatcher requestMatcher) {
        this.requestMatcher = requestMatcher;
    }

    public void setPortResolver(PortResolver portResolver) {
        this.portResolver = portResolver;
    }

    public void setSessionAttrName(String sessionAttrName) {
        this.sessionAttrName = sessionAttrName;
    }

}

    @Override
public void configure(HttpSecurity http) throws Exception {
  http.requestCache(httpSecurityRequestCacheConfigurer -> {
    httpSecurityRequestCacheConfigurer.requestCache(redisRequestCache());
  });
}

    自定义登录成功处理器需要手动配置自定义的RequestCache。

EumenidesJ
关注
  • 0
    点赞
  • 4
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
SpringSecurity.md
07-21
SpringSecurity.md
SpringSecurity.zip
06-08
什么是安全框架? 解决系统安全问题的框架。如果没有安全框架,我们需要手动处理每个资源的访问控制,非常麻烦。使用安全框架,我们可以通过配置的方式实现对资源的访问限制。 ​ Spring Securityspring家族一员。是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架。它提供了一组可以在Spring应用上下文中配置的Bean,充分利用了Spring IoC,DI(控制反转Inversion of Control ,DI:Dependency Injection 依赖注入)和AOP(面向切面编程)功能,为应用系统提供声明式的安全访问控制功能,减少了为企业系统安全控制编写大量重复代码的工作。 Apache Shiro 是一个功能强大且易于使用的Java安全框架,提供了认证,授权,加密,和会话管理。
SpringSecurity素材.rar
03-02
狂神(秦疆)springboot web开发中的springsecurity素材 对应B站视频的P34
SpringSecurity课程文档下载 pdf 教学
05-05
SpringSecurity课程文档下载 pdf 教学
SpringSecurity.pdf
05-24
SpringSecurity入门到进阶到高级,是我们老师给我们讲课用的,我们都照着配就没有问题,可以跑通,
SpringSecurityOAuth2登录后无法跳转获取授权码地址,直接跳转根路径原因详解
oPeiJie1的博客
04-10 2342
至于UserDetailsService、TokenConfig、ResourceServerConfig 令牌配置、AuthorityServerConfig、Controller请自行到本文开头提到的那篇文章中查看。
Spring SecurityAuthenticationSuccessHandler 用户认证成功后处理
最新发布
杜小舟的博客
12-28 1094
`AuthenticationSuccessHandler` 接口的作用是做用户认证成功后执行的操作处理器;官方目前是给了三个默认的处理器,我们也可以自定义处理器,接下来先简单介绍一下官方的,然后再用一个小例子自定义一个自己的。
SpringSecurity-5-自定义登录验证
zhoubangbang1的博客
03-24 827
SpringSecurity-5-自定义登录验证默认登录成功失败跳转页为什么自定义登录验证结果处理场景自定义登录成功的结果处理自定义登录失败的结果处理自定义权限访问异常结果处理默认登录成功失败跳转页 如果我们 登录成功,由接口AuthenticationSuccessHandler进行登录结果处理,默认会使用SimpleUrlAuthenticationSuccessHandler,是AuthenticationSuccessHandler的实现,SimpleUrlAuthenticationSucces
Spring Security——实现登录后跳转到登录前页面
无限迭代中......
03-21 7370
基本概念 暂无。 官方文档 https://docs.spring.io/spring-security/site/docs/5.3.1.BUILD-SNAPSHOT/reference/html5/#nsa-form-login API SavedRequestAwareAuthenticationSuccessHandler:身份验证成功策略,可以利用身份验证成功策略,该策略Def...
SpringSecurity5-教程3-oauth2登录源码分析
zhouwenjun0820的博客
03-20 1711
spring-security
spring security3.2 总结
xjj1314的专栏
08-04 1158
xmlns:sec="http://www.springframework.org/schema/security"       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"       xsi:schemaLocation="http://www.springframework.org/schema/beans         
SpringSecurity系列 之 认证成功处理流程
向心行者
06-26 2775
1、常见用法   和SpringSecurity认证失败处理器方法似,认证成功也提供了三种的配置方式,而且和认证失败的方式基本上是对应的。分别是: defaultSuccessUrl()方法,提供了两个重载方法,一个参数的方法只需要配置默认重定向路径,两个参数的方法除了配置重定向路径,还需要配置是否无论什么情况只重定向配置的路径。 successForwardUrl()方法,服务端转发,无论什么情况只转发到配置的路径。 successHandler()方法,自定义认证成功处理器。 defaultSuc
springsecurity 表单登录
sdaujsj1的博客
07-01 599
表单登录 @Configuration public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .anyRequest().authenticated()
SpringSecurity(四)表单配置-登录成功及页面跳转原理
陈橙橙
03-11 5100
登录表单配置 在上一篇文章中,我们介绍了,基本认证以及默认用户名和密码以及页面SpringSecurity是怎样帮我们生成的,这里我们就来看一下登录表单的详细配置。 项目准备 导入依赖 <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId&gt
Spring Security 入门 自定义认证成功处理器
SheTing'Blog
04-16 1635
实现接口 AuthenticationSuccessHandler 自定义认证成功处理器 /** * 默认登录成功后,跳转到之前请求的 url , 而现在希望登录成功后,实现其他的业务逻辑。比如累计积分、 * 通过Ajax 请求响应一个JSON数据,前端接收到响应的数据进行跳转。那可以使用自定义登录成功处理逻辑。 */ @Component public class CustomAuthenticationSuccessHandler implements AuthenticationSuccessH
spring security 自定义登录成功、失败处理
liu_xue_xue的专栏
11-30 2661
默认自定义配置 一、自定义成功处理器 使用继承SavedRequestAwareAuthenticationSuccessHandler的方式?因为SavedRequestAwareAuthenticationSuccessHandler这个记住了你上一次的请求路径,比如:你请求user.html。然后被拦截到了登录页,这时候你输入完用户名密码点击登录,会自动跳转到user.html,而不是主页面。 public class CoreAuthenticationSuccessHandler e
自定义登录成功处理
weixin_43472934的博客
04-21 1282
有时候页面跳转并不能满足我们,特别是在前后端分离开发中就不需要成功之后跳转页面。只需要给前端返回一个JSON通知登录成功还是失败与否。这个试试可以通过自定义AuthenticationSuccessHandler实现 修改WebSecurityConfigurer successHandler package com.example.config; import com.example.handler.MyAuthenticationSuccessHandler; import org.springf.
SpringSecurity自定义认证成功处理器
热门推荐
钟健的博客
03-21 6万+
自定义认证成功处理器 代码实现 1.实现AuthenticationSuccessHandler接口 第一步:实现 AuthenticationSuccessHandler @Component("customAuthenticationSuccessHandler") public class CustomAuthenticationSuccessHandler implements AuthenticationSuccessHandler { @Override public void
SpringSecurity学习笔记二
我就是我的博客
10-25 560
SpringSecurity认证成功、失败处理器原理分析 首先需要知道的是,SpringSecurity默认的成功、失败处理器是SavedRequestAwareAuthenticationSuccessHandler和SimpleUrlAuthenticationFailureHandler;正常情况下,请求一个资源,在进入到SpringSecurity的认证中,认证成功才会跳转到待请求的资源 ...
spring security 配置架构
05-05
Spring Security的配置通常是一个Java,用于配置安全性和授权规则。Spring Security提供了多种配置的架构,包括使用注解、XML和Java Config等方式。 使用注解方式的配置通常使用@Configuration和@...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值