【发布时间】:2019-07-17 02:53:31
【问题描述】:
我正在使用 spring boot 2.0.0 和 spring security 5.0.6 开发一个 Web 应用程序,在我添加了一些逻辑来验证用户是 LDAP 组的一部分之前,我一直很幸运。如果用户提供的凭据无效,登录页面会再次显示并显示验证错误,但当凭据正确但用户不属于所需的 LDAP 组时,应用程序将被重定向到 Whitelabel 错误页面,该页面以及粗体字的标题显示了这一点:
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Fri Feb 22 18:40:55 EST 2019
There was an unexpected error (type=Forbidden, status=403).
Forbidden
这是正确的错误,所以我知道身份验证有效。但我想留在登录页面而不是重定向,我不知道该怎么做。
我的 WebSecurityConfigurerAdapter 的整个配置方法如下所示:
@Override
protected void configure(HttpSecurity http) throws Exception {
// Disabling CSRF because it causes issues with API requests (POSTs don't
// contain the CSRF tokens).
http.csrf().disable();
http.headers().frameOptions().disable();
http.authorizeRequests()
// This line turns off authentication for all management endpoints, which means all
// endpoints that start with "/actuator" (the default starter path for management endpoints
// in spring boot applications). To selectively choose which endpoints to exclude from authentication,
// use the EndpointRequest.to(String ... method, as in the following example:
// .requestMatchers(EndpointRequest.to("beans", "info", "health", "jolokia")).permitAll()
.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()
// Do not authenticate resource requests
.antMatchers(
"/app/css/**",
"/app/img/**",
"/app/js/**",
"/app/bootstrap/**").permitAll()
.antMatchers(
"/admin/**",
"/app/builds/**",
"/app/monitor/**",
"/app/review/**")
.hasRole(requiredRole)
// All other requests are authenticated
.anyRequest().authenticated()
// Any unauthenticated request is forwarded to the login page
.and()
.formLogin()
.loginPage(LOGIN_FORM)
.permitAll()
.successHandler(successHandler())
.and()
.exceptionHandling()
.authenticationEntryPoint(delegatingAuthenticationEntryPoint())
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher(LOGOUT_FORM))
.logoutSuccessUrl(LOGIN_FORM);
}
我愿意批评整个方法的构造,顺便说一句——我已经接管了这个项目,这对我来说是新的。在我介绍以 .hasRole(requiredRole) 结尾的 6 行之前,这段代码运行良好,只要用户是所需组的一部分,它仍然可以运行。
我没有提供这里调用的一些方法的源代码,如果有人愿意,我很乐意粘贴它们。我猜对这些东西很了解的人会马上发现问题。
任何建议将不胜感激。
【问题讨论】:
标签: spring-boot spring-security ldap