Authentication Forward Fix

Authentication Forward Fix
This commit is contained in:
shimingxy
2020-05-22 15:25:18 +08:00
parent dcae09742f
commit 239573cd05
13 changed files with 128 additions and 74 deletions

View File

@@ -87,6 +87,10 @@ public abstract class AbstractAuthenticationProvider {
.getAttribute(WebConstants.CURRENT_LOGIN_USER_PASSWORD_SET_TYPE);
// 登录完成后切换SESSION
_logger.debug("Login Session {}.", WebContext.getSession().getId());
final Object firstSavedRequest =
WebContext.getAttribute(WebConstants.FIRST_SAVED_REQUEST_PARAMETER);
WebContext.getSession().invalidate();
WebContext.setAttribute(
WebConstants.CURRENT_USER_SESSION_ID, WebContext.getSession().getId());
@@ -95,6 +99,7 @@ public abstract class AbstractAuthenticationProvider {
authenticationRealm.insertLoginHistory(
userInfo, ConstantsLoginType.LOCAL, "", "xe00000004", "success");
WebContext.setAttribute(WebConstants.FIRST_SAVED_REQUEST_PARAMETER,firstSavedRequest);
// 认证设置
WebContext.setAuthentication(authentication);
WebContext.setUserInfo(userInfo);

View File

@@ -20,45 +20,47 @@ import org.springframework.security.web.savedrequest.SavedRequest;
import org.springframework.util.StringUtils;
/**
* An authentication success strategy which can make use of the {@link DefaultSavedRequest} which may have been stored in
* the session by the {@link ExceptionTranslationFilter}. When such a request is intercepted and requires authentication,
* the request data is stored to record the original destination before the authentication process commenced, and to
* allow the request to be reconstructed when a redirect to the same URL occurs. This class is responsible for
* performing the redirect to the original URL if appropriate.
* An authentication success strategy which can make use of the
* {@link DefaultSavedRequest} which may have been stored in the session by the
* {@link ExceptionTranslationFilter}. When such a request is intercepted and
* requires authentication, the request data is stored to record the original
* destination before the authentication process commenced, and to allow the
* request to be reconstructed when a redirect to the same URL occurs. This
* class is responsible for performing the redirect to the original URL if
* appropriate.
* <p>
* Following a successful authentication, it decides on the redirect destination, based on the following scenarios:
* Following a successful authentication, it decides on the redirect
* destination, based on the following scenarios:
* <ul>
* <li>
* If the {@code alwaysUseDefaultTargetUrl} property is set to true, the {@code defaultTargetUrl}
* will be used for the destination. Any {@code DefaultSavedRequest} stored in the session will be
* removed.
* </li>
* <li>
* If the {@code targetUrlParameter} has been set on the request, the value will be used as the destination.
* Any {@code DefaultSavedRequest} will again be removed.
* </li>
* <li>
* If a {@link SavedRequest} is found in the {@code RequestCache} (as set by the {@link ExceptionTranslationFilter} to
* record the original destination before the authentication process commenced), a redirect will be performed to the
* Url of that original destination. The {@code SavedRequest} object will remain cached and be picked up
* when the redirected request is received
* (See {@link org.springframework.security.web.savedrequest.SavedRequestAwareWrapper SavedRequestAwareWrapper}).
* </li>
* <li>
* If no {@code SavedRequest} is found, it will delegate to the base class.
* <li>If the {@code alwaysUseDefaultTargetUrl} property is set to true, the
* {@code defaultTargetUrl} will be used for the destination. Any
* {@code DefaultSavedRequest} stored in the session will be removed.</li>
* <li>If the {@code targetUrlParameter} has been set on the request, the value
* will be used as the destination. Any {@code DefaultSavedRequest} will again
* be removed.</li>
* <li>If a {@link SavedRequest} is found in the {@code RequestCache} (as set by
* the {@link ExceptionTranslationFilter} to record the original destination
* before the authentication process commenced), a redirect will be performed to
* the Url of that original destination. The {@code SavedRequest} object will
* remain cached and be picked up when the redirected request is received (See
* {@link org.springframework.security.web.savedrequest.SavedRequestAwareWrapper
* SavedRequestAwareWrapper}).</li>
* <li>If no {@code SavedRequest} is found, it will delegate to the base class.
* </li>
* </ul>
*
* @author Luke Taylor
* @since 3.0
*/
public class SavedRequestAwareAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {
protected final Logger _logger = LoggerFactory.getLogger(SavedRequestAwareAuthenticationSuccessHandler.class);
public class SavedRequestAwareAuthenticationSuccessHandler
extends SimpleUrlAuthenticationSuccessHandler {
protected final Logger _logger = LoggerFactory.getLogger(
SavedRequestAwareAuthenticationSuccessHandler.class);
@Autowired
@Qualifier("remeberMeService")
protected AbstractRemeberMeService remeberMeService;
@Qualifier("remeberMeService")
protected AbstractRemeberMeService remeberMeService;
private RequestCache requestCache = new HttpSessionRequestCache();
@Override
@@ -66,15 +68,18 @@ public class SavedRequestAwareAuthenticationSuccessHandler extends SimpleUrlAuth
Authentication authentication) throws ServletException, IOException {
SavedRequest savedRequest = requestCache.getRequest(request, response);
remeberMeService.createRemeberMe(authentication.getPrincipal().toString(), request, response);
remeberMeService.createRemeberMe(
authentication.getPrincipal().toString(), request, response);
if (savedRequest == null) {
super.onAuthenticationSuccess(request, response, authentication);
return;
}
String targetUrlParameter = getTargetUrlParameter();
if (isAlwaysUseDefaultTargetUrl() || (targetUrlParameter != null && StringUtils.hasText(request.getParameter(targetUrlParameter)))) {
if (isAlwaysUseDefaultTargetUrl()
|| (targetUrlParameter != null
&& StringUtils.hasText(request.getParameter(targetUrlParameter)))) {
requestCache.removeRequest(request, response);
super.onAuthenticationSuccess(request, response, authentication);
@@ -82,16 +87,18 @@ public class SavedRequestAwareAuthenticationSuccessHandler extends SimpleUrlAuth
}
clearAuthenticationAttributes(request);
// Use the DefaultSavedRequest URL
String targetUrl = savedRequest.getRedirectUrl();
//is cas login , with service parameter
logger.info( request.getParameter(WebConstants.CAS_SERVICE_PARAMETER));
if(request.getParameter(WebConstants.CAS_SERVICE_PARAMETER)!=null && request.getParameter(WebConstants.CAS_SERVICE_PARAMETER).startsWith("http")){
targetUrl=WebContext.getHttpContextPath()+"/authorize/cas/login?service="+request.getParameter(WebConstants.CAS_SERVICE_PARAMETER);
// is cas login , with service parameter
logger.info("CAS " + request.getParameter(WebConstants.CAS_SERVICE_PARAMETER));
if (request.getParameter(WebConstants.CAS_SERVICE_PARAMETER) != null
&& request.getParameter(WebConstants.CAS_SERVICE_PARAMETER).startsWith("http")) {
targetUrl = WebContext.getHttpContextPath() + "/authorize/cas/login?service="
+ request.getParameter(WebConstants.CAS_SERVICE_PARAMETER);
}
targetUrl = targetUrl == null ? "/forwardindex" : targetUrl;
logger.debug("Redirecting to DefaultSavedRequest Url: " + targetUrl);
getRedirectStrategy().sendRedirect(request, response, targetUrl);
}

View File

@@ -1,14 +1,12 @@
/**
*
*/
package org.maxkey.authn.realm;
/**
* IAuthenticationServer .
* @author Crystal.Sea
*
*/
public interface IAuthenticationServer {
public boolean authenticate(String username, String password) ;
public boolean authenticate(String username, String password);
}

View File

@@ -1,7 +1,7 @@
package org.maxkey.web;
/**
* Web Application Constants define
* Web Application Constants define.
*
* @author Crystal.Sea
*
@@ -32,9 +32,7 @@ public class WebConstants {
public static final String CURRENT_MESSAGE = "current_message";
// SPRING_SECURITY_SAVED_REQUEST
public static final String SPRING_PROCESS_SAVED_REQUEST = "SPRING_SECURITY_SAVED_REQUEST";
public static final String FIRST_SAVED_REQUEST_PARAMETER = "first_saved_request_parameter";
public static final String FIRST_SAVED_REQUEST_PARAMETER = "SPRING_SECURITY_SAVED_REQUEST";
public static final String KAPTCHA_SESSION_KEY = "kaptcha_session_key";