java Spring Security:使用特殊的 URL 参数忽略登录页面
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/12023564/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring Security: Ignore login page by using a special URL parameter
提问by digiarnie
I currently have a setup that looks something like this:
我目前有一个看起来像这样的设置:
spring-security.xml:
弹簧security.xml:
<http auto-config="true">
<intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page="/login"
default-target-url="/main.html"
authentication-failure-url="/failedLogin"/>
<logout logout-url="/logout.html" logout-success-url="/login" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="foo" password="bar" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
web.xml:
网页.xml:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
This all seems to work as expected, however, in special situations I want the login page to be bypassed if the user passes in a special token. So currently, if the user goes to a url such as /dog, they will see the login page and if they pass in the credentials of foo/barthen they will be logged in and see the page corresponding to /dog.
这一切似乎都按预期工作,但是,在特殊情况下,如果用户传入特殊令牌,我希望绕过登录页面。因此,目前,如果用户转到诸如 的 url /dog,他们将看到登录页面,如果他们传入 的凭据,foo/bar则他们将登录并看到与 对应的页面/dog。
I want the ability to use a URL such as /dog?token=abcdwhich will bypass the login screen and take them directly to the page corresponding to /dog. If they provide an invalid token then they would just see an access denied page.
我希望能够使用诸如/dog?token=abcd绕过登录屏幕并将它们直接带到对应于/dog. 如果他们提供无效的令牌,那么他们只会看到访问被拒绝的页面。
回答by Xaerxess
In Spring Security the scenario you want to cover is described in reference manual, chapter Pre-Authentication Scenarios.
在 Spring Security 中,您要涵盖的场景在参考手册的Pre-Authentication Scenarios一章中进行了描述。
Basically you have to:
基本上你必须:
- create custom filter by extending
AbstractPreAuthenticatedProcessingFilteror choosing one of its implementations, - register custom filter
<custom-filter position="PRE_AUTH_FILTER" ref="yourPreAuthFilter" />, - implement or choose one of implemented
AuthenticationUserDetailsServices, - register the service in
PreAuthenticatedAuthenticationProvider(with<property name="yourPreAuthenticatedUserDetailsService">).
- 通过扩展
AbstractPreAuthenticatedProcessingFilter或选择其实现之一来创建自定义过滤器, - 注册自定义过滤器
<custom-filter position="PRE_AUTH_FILTER" ref="yourPreAuthFilter" />, - 实施或选择已实施的
AuthenticationUserDetailsServices 之一, - 在
PreAuthenticatedAuthenticationProvider(with<property name="yourPreAuthenticatedUserDetailsService">) 中注册服务。
EDIT: In this answerOP shows his way of implementig custom PRE_AUTH_FILTER.
编辑:在这个答案中,OP 展示了他实现自定义的方式PRE_AUTH_FILTER。
