spring security oauth2在重定向之前操纵请求url

Question

我有一个Vaadin应用程序，使用spring安全OAuth2进行安全保护。除了临时的PUSH或HEARTBEAT端点被用于首先请求并因此触发认证过程并且用户在错误的页面上结束（这些端点不应该被用户直接访问）之外，这工作正常。

一个简单但不安全的修复方法是针对这些端点上的permitAll()。然而，由于这构成威胁，我需要关闭这个洞。

要做到这一点，我想解析并潜在地编辑请求url，然后重定向到successfull auth。我会如何去做这件事？

我想我需要在链中的某处添加一个过滤器来拦截请求并对其进行编辑。但我不知道在哪里。

这里是我的客户：

@Configuration 
@EnableOAuth2Sso 
public class OAuthConfig extends WebSecurityConfigurerAdapter 
{ 

    @Override 
    protected void configure(HttpSecurity http) throws Exception 
    { 
     http.csrf().disable() 
       .authorizeRequests() 
       .antMatchers("/login**").permitAll() 
       .antMatchers("/vaadinServlet/PUSH/**").permitAll()   //todo fix this hole 
       .antMatchers("/vaadinServlet/HEARTBEAT/**").permitAll()  //todo fix this hole 
       .anyRequest().authenticated() 
       .and() 
       .logout() 
       .logoutSuccessUrl("/") 
       .logoutRequestMatcher(new AntPathRequestMatcher("/logout")); 

    } 

    @Override 
    public void configure(WebSecurity web) throws Exception 
    { 
     web.ignoring().antMatchers("/css/*").antMatchers("/VAADIN/**"); // Static resources are ignored 
    } 

} 

而且服务器：

@Configuration 
@EnableAuthorizationServer 
public class OAuth2Config extends AuthorizationServerConfigurerAdapter 
{ 
//jwt token stuff & my own client/auth providers. Should not be important. 
... 
} 

服务器登录表单：

@Configuration 
public class WebSecurityConfig extends WebSecurityConfigurerAdapter 
{ 

    @Autowired 
    private RestAuthenticationProvider authenticationProvider; 

    @Override 
    public void configure(AuthenticationManagerBuilder auth) throws Exception 
    { 
     auth.authenticationProvider(authenticationProvider); 
    } 

    @Override 
    protected void configure(HttpSecurity http) throws Exception 
    { 
     http 
       .authorizeRequests() 
       .antMatchers(HttpMethod.GET, "/forgetPassword*").permitAll() 
       .antMatchers(HttpMethod.POST,"/user/resetPassword*").permitAll() 
       .antMatchers(HttpMethod.GET,"/user/changePassword*").permitAll() 
       .antMatchers("/user/updatePassword*", "/user/savePassword*", "/updatePassword*") 
       .hasAnyAuthority("CHANGE_PASSWORD_PRIVILEGE","ROLE_USER") 
       .anyRequest().authenticated() 
       .and() 
        .formLogin() 
        .loginPage("/login") 
        .permitAll() 
       .and() 
        .csrf().csrfTokenRepository(csrfTokenRepository()); 
    } 

    private CsrfTokenRepository csrfTokenRepository() 
    { 
     HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository(); 
     repository.setHeaderName("X-XSRF-TOKEN"); 
     return repository; 
    } 

} 

Answer 1

只需添加一些实施与项目

1 ： 创建验证失败处理器

@Component 
public class CustomAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler { 


    @Override 
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException { 
     System.out.print("here failure"); 



     String s=request.getParameter("username"); 
     setDefaultFailureUrl("/login?error&username="+s); 
     super.onAuthenticationFailure(request,response,exception); 
    } 

} 

2：身份验证成功处理程序

@Component 
public class CustomAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler { 

    @Override 
    public void onAuthenticationSuccess(HttpServletRequest request , HttpServletResponse response, Authentication authentication) throws IOException, ServletException { 
     /* custom Block 
Do any thing here 
    */ 

     setDefaultTargetUrl("/home/"); 
     super.onAuthenticationSuccess(request,response,authentication); 
    } 
} 

3：访问​​请求切入点

@Component 
public class CustomAuthenticationEntryPoint implements AuthenticationEntryPoint { 
    @Override 
    public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException { 
     System.out.print("Unauthorized Access"); 

     httpServletResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED); 
    } 
} 

实现组件按您的要求。