项目使用SWF 2.4.1和SSec 4。我在spring安全上指定了一个failUrl,用于登录错误和webflow上的转换,如果评估表达式失败。在这种情况下,SWF重定向优先于SSec重定向。我想知道是否有一些方法可以省略/更改此行为,因为我将自动遵循spring安全规则,而无需在spring webflow上创建规则。
安全规则
http
.antMatcher("/spring/**/*.xhtml")
.exceptionHandling().authenticationEntryPoint(new AccessDenyEntryPoint())
.and()
.requestCache().requestCache(requestCache())
.and()
.authorizeRequests()
.antMatchers("/spring/resources/**","/spring/login","/spring/signup",
"/spring/main","/spring/error","/spring/group").permitAll()
.antMatchers("/spring/myprofile").hasRole("USER")
.antMatchers("/spring/profilegroup").hasRole("MEMBER")
.antMatchers("/spring/admin").hasRole("ADMIN")
.antMatchers("/spring/**/*.xhtml").denyAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/spring/login")
.defaultSuccessUrl("/spring/main",true)
.failureUrl("/spring/login?login_error=1")
.and()
.logout()
.logoutSuccessUrl("/spring/home")
.deleteCookies("JSESSIONID")
.and()
.rememberMe().userDetailsService(customDetailsService)
.and()
.exceptionHandling().accessDeniedPage("/spring/error?error_code=1")
.and()
// Disable CSRF (won't work with JSF) but ensure last HTTP POST request is saved
// See https://jira.springsource.org/browse/SEC-2498
.csrf().disable()
.requestCache()
.requestCache(new HttpSessionRequestCache())
.and()
.sessionManagement()
.sessionFixation().changeSessionId()
.invalidSessionUrl("/spring/main")
.sessionAuthenticationErrorUrl("/spring/error?error_code=4")
.maximumSessions(1)
.expiredUrl("/spring/error?error_code=2")
.maxSessionsPreventsLogin(true);
<view-state id="login" view="login.xhtml">
<transition on="entry" to="connect"/>
<transition on="recoveryPass" to="recovery" />
</view-state>
<action-state id="connect">
<evaluate expression="login.connect()" />
<transition on="yes" to="connected" />
<transition on="no" to="recovery" />
</action-state>
<view-state id="recovery" view="recovery.xhtml">
<transition on="sendPass" to="login" />
<transition on="return" to="login" />
<transition on="error" />
</view-state>
<end-state id="finish" />
验证代码
public String connect(){
logger.entry("Login.connect()");
try{
Authentication request=new UsernamePasswordAuthenticationToken(getEmail(), getPassword());
Authentication result=daoProvider.authenticate(request);
SecurityContextHolder.getContext().setAuthentication(result);
}catch (BadCredentialsException e) {
//MessageRedirect.addFlashMesage("usuario.no.registrado","msg");
return "no";
}catch (LockedException e) {
//MessageRedirect.addFlashMesage("usuario.bloqueado","msg");
return "no";
}catch (DisabledException e) {
//MessageRedirect.addFlashMesage("usuario.desactivado","msg");
return "no";
}
return "yes";
}
真正的问题是我在弹簧安全配置上设置安全控制,我应该设置它们的流定义。创建自定义表单页面/控制器不是问题,并且可以正常工作,如果您使用bean,则不需要设置loginprocess。所以,配置应该是这样的
安全配置 @Override
protected void configure(HttpSecurity http) throws Exception {
http
.exceptionHandling().authenticationEntryPoint(new AccessDenyEntryPoint())
.and()
.exceptionHandling().accessDeniedHandler(new AccessDenyHandlerPoint())
.and()
.authorizeRequests()
.antMatchers("/spring/**/*.xhtml").denyAll()
.and()
.formLogin()
.loginPage("/spring/login")
.loginProcessingUrl("/spring/loginProcess")
.defaultSuccessUrl("/spring/main",true)
.failureUrl("/spring/login?login_error=1")
.and()
.logout()
.logoutUrl("/spring/logout")
.logoutSuccessUrl("/spring/main")
.deleteCookies("JSESSIONID")
// Disable CSRF (won't work with JSF) but ensure last HTTP POST request is saved
// See https://jira.springsource.org/browse/SEC-2498
.and()
.csrf().disable()
.sessionManagement()
.sessionFixation().changeSessionId()
.invalidSessionUrl("/spring/error?error_code=1")
.sessionAuthenticationErrorUrl("/spring/error?error_code=2")
.maximumSessions(1)
.expiredUrl("/spring/error?error_code=3")
.maxSessionsPreventsLogin(true);
}
流定义
<secured attributes="ROLE_USER" />
<on-start>
<evaluate expression="spaceBO.dao.getAll()" result="flowScope.spaces"/>
</on-start>
<view-state id="inicio" view="main.xhtml">
</view-state>