Spring webflow是否覆盖Spring安全请求规则?
项目使用SWF 2.4.1和SSec 4。我在SpringSecurity上为登录错误指定了一个failUrl,如果计算表达式失败,则在webflow上指定了一个转换。在这种情况下,SWF重定向优先于SSec重定向。我想知道是否有某种方法可以省略/更改此行为,因为我会自动遵循spring安全规则,而不必在spring webflow上创建规则 安全规则Spring webflow是否覆盖Spring安全请求规则?,spring,spring-security,spring-webflow,spring-webflow-2,Spring,Spring Security,Spring Webflow,Spring Webflow 2,项目使用SWF 2.4.1和SSec 4。我在SpringSecurity上为登录错误指定了一个failUrl,如果计算表达式失败,则在webflow上指定了一个转换。在这种情况下,SWF重定向优先于SSec重定向。我想知道是否有某种方法可以省略/更改此行为,因为我会自动遵循spring安全规则,而不必在spring webflow上创建规则 安全规则 http .antMatcher("/spring/**/*.xhtml") .exceptionHandling().
http
.antMatcher("/spring/**/*.xhtml")
.exceptionHandling().authenticationEntryPoint(new AccessDenyEntryPoint())
.and()
.requestCache().requestCache(requestCache())
.and()
.authorizeRequests()
.antMatchers("/spring/resources/**","/spring/login","/spring/signup",
"/spring/main","/spring/error","/spring/group").permitAll()
.antMatchers("/spring/myprofile").hasRole("USER")
.antMatchers("/spring/profilegroup").hasRole("MEMBER")
.antMatchers("/spring/admin").hasRole("ADMIN")
.antMatchers("/spring/**/*.xhtml").denyAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/spring/login")
.defaultSuccessUrl("/spring/main",true)
.failureUrl("/spring/login?login_error=1")
.and()
.logout()
.logoutSuccessUrl("/spring/home")
.deleteCookies("JSESSIONID")
.and()
.rememberMe().userDetailsService(customDetailsService)
.and()
.exceptionHandling().accessDeniedPage("/spring/error?error_code=1")
.and()
// Disable CSRF (won't work with JSF) but ensure last HTTP POST request is saved
// See https://jira.springsource.org/browse/SEC-2498
.csrf().disable()
.requestCache()
.requestCache(new HttpSessionRequestCache())
.and()
.sessionManagement()
.sessionFixation().changeSessionId()
.invalidSessionUrl("/spring/main")
.sessionAuthenticationErrorUrl("/spring/error?error_code=4")
.maximumSessions(1)
.expiredUrl("/spring/error?error_code=2")
.maxSessionsPreventsLogin(true);
<view-state id="login" view="login.xhtml">
<transition on="entry" to="connect"/>
<transition on="recoveryPass" to="recovery" />
</view-state>
<action-state id="connect">
<evaluate expression="login.connect()" />
<transition on="yes" to="connected" />
<transition on="no" to="recovery" />
</action-state>
<view-state id="recovery" view="recovery.xhtml">
<transition on="sendPass" to="login" />
<transition on="return" to="login" />
<transition on="error" />
</view-state>
<end-state id="finish" />
http
.antMatcher("/spring/**/*.xhtml")
.exceptionHandling().authenticationEntryPoint(new AccessDenyEntryPoint())
.and()
.requestCache().requestCache(requestCache())
.and()
.authorizeRequests()
.antMatchers("/spring/resources/**","/spring/login","/spring/signup",
"/spring/main","/spring/error","/spring/group").permitAll()
.antMatchers("/spring/myprofile").hasRole("USER")
.antMatchers("/spring/profilegroup").hasRole("MEMBER")
.antMatchers("/spring/admin").hasRole("ADMIN")
.antMatchers("/spring/**/*.xhtml").denyAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/spring/login")
.defaultSuccessUrl("/spring/main",true)
.failureUrl("/spring/login?login_error=1")
.and()
.logout()
.logoutSuccessUrl("/spring/home")
.deleteCookies("JSESSIONID")
.and()
.rememberMe().userDetailsService(customDetailsService)
.and()
.exceptionHandling().accessDeniedPage("/spring/error?error_code=1")
.and()
// Disable CSRF (won't work with JSF) but ensure last HTTP POST request is saved
// See https://jira.springsource.org/browse/SEC-2498
.csrf().disable()
.requestCache()
.requestCache(new HttpSessionRequestCache())
.and()
.sessionManagement()
.sessionFixation().changeSessionId()
.invalidSessionUrl("/spring/main")
.sessionAuthenticationErrorUrl("/spring/error?error_code=4")
.maximumSessions(1)
.expiredUrl("/spring/error?error_code=2")
.maxSessionsPreventsLogin(true);
<view-state id="login" view="login.xhtml">
<transition on="entry" to="connect"/>
<transition on="recoveryPass" to="recovery" />
</view-state>
<action-state id="connect">
<evaluate expression="login.connect()" />
<transition on="yes" to="connected" />
<transition on="no" to="recovery" />
</action-state>
<view-state id="recovery" view="recovery.xhtml">
<transition on="sendPass" to="login" />
<transition on="return" to="login" />
<transition on="error" />
</view-state>
<end-state id="finish" />
真正的问题是我在spring安全配置上设置了安全控制,我应该在流定义上设置它们。创建自定义表单页面/控制器不是问题所在,工作正常,如果使用bean,则无需设置LoginProcess。所以,配置应该是这样的 安全配置
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.exceptionHandling().authenticationEntryPoint(new AccessDenyEntryPoint())
.and()
.exceptionHandling().accessDeniedHandler(new AccessDenyHandlerPoint())
.and()
.authorizeRequests()
.antMatchers("/spring/**/*.xhtml").denyAll()
.and()
.formLogin()
.loginPage("/spring/login")
.loginProcessingUrl("/spring/loginProcess")
.defaultSuccessUrl("/spring/main",true)
.failureUrl("/spring/login?login_error=1")
.and()
.logout()
.logoutUrl("/spring/logout")
.logoutSuccessUrl("/spring/main")
.deleteCookies("JSESSIONID")
// Disable CSRF (won't work with JSF) but ensure last HTTP POST request is saved
// See https://jira.springsource.org/browse/SEC-2498
.and()
.csrf().disable()
.sessionManagement()
.sessionFixation().changeSessionId()
.invalidSessionUrl("/spring/error?error_code=1")
.sessionAuthenticationErrorUrl("/spring/error?error_code=2")
.maximumSessions(1)
.expiredUrl("/spring/error?error_code=3")
.maxSessionsPreventsLogin(true);
}
<secured attributes="ROLE_USER" />
<on-start>
<evaluate expression="spaceBO.dao.getAll()" result="flowScope.spaces"/>
</on-start>
<view-state id="inicio" view="main.xhtml">
</view-state>