Spring 安全 OAuth 2.0 Google:在未经授权的请求而不是请求 URL 后重定向到默认值 URL

Spring Security OAuth 2.0 Google: redirect to default URL after unauthorized request instead of requested URL

我正在使用 Spring Security OAuth 2.0 和 Google 作为身份提供者。我在正确处理 session 超时和重新验证时遇到问题。

场景:

当前行为:

期望的行为:

我的配置class:

import org.springframework.beans.factory.annotation.Value
import org.springframework.context.annotation.Configuration
import org.springframework.security.config.annotation.web.builders.HttpSecurity
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
import org.springframework.security.web.authentication.Http403ForbiddenEntryPoint
import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler

@Configuration
@EnableWebSecurity
class WebSecurityConfiguration: WebSecurityConfigurerAdapter() {

    @Value("${app.security.oauth2.defaultSuccessUrl}")
    lateinit var defaultSuccessUrl: String

    @Throws(Exception::class)
    override fun configure(httpSecurity: HttpSecurity) {
        val successHandler = SimpleUrlAuthenticationSuccessHandler()
        successHandler.setUseReferer(false)
        httpSecurity
            .antMatcher("/**")
            .authorizeRequests()
            .antMatchers("/", "/login**", "/js/**", "/error**").permitAll()
            .anyRequest().authenticated()
            .and().oauth2Login()
            .successHandler(successHandler)
            .defaultSuccessUrl(defaultSuccessUrl)
            .and().logout().logoutSuccessUrl("/login").deleteCookies("JSESSIONID").permitAll()
            .and()
            .csrf().disable()
            .exceptionHandling()
            .authenticationEntryPoint(Http403ForbiddenEntryPoint())
    }

}

我做错了什么?

提前致谢。

UPD:根据 Steve Riesenberg 的回答更新了代码:

import org.springframework.beans.factory.annotation.Value
import org.springframework.context.annotation.Configuration
import org.springframework.security.config.annotation.web.builders.HttpSecurity
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
import org.springframework.security.web.authentication.Http403ForbiddenEntryPoint
import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler

@Configuration
@EnableWebSecurity
class WebSecurityConfiguration: WebSecurityConfigurerAdapter() {

    @Value("${app.security.oauth2.defaultSuccessUrl}")
    lateinit var defaultSuccessUrl: String

    @Throws(Exception::class)
    override fun configure(httpSecurity: HttpSecurity) {
        val successHandler = SimpleUrlAuthenticationSuccessHandler(defaultSuccessUrl)
        successHandler.setUseReferer(false)
        httpSecurity
            .antMatcher("/**")
            .authorizeRequests()
            .antMatchers("/", "/login**", "/js/**", "/error**").permitAll()
            .anyRequest().authenticated()
            .and().oauth2Login()
            .successHandler(successHandler)
            .and().logout().logoutSuccessUrl("/login").deleteCookies("JSESSIONID").permitAll()
            .and()
            .csrf().disable()
            .exceptionHandling()
            .authenticationEntryPoint(Http403ForbiddenEntryPoint())
    }

}

设置 defaultSuccessUrl 将覆盖您的 successHandler(),因为设置 URL 实际上会添加您想替换的 SavedRequestAwareAuthenticationSuccessHandler。顺序很重要,因为 oauth2Login 配置器中只有一个 successHandler

相反,您需要将 defaultSuccessUrl 传递给 SimpleUrlAuthenticationSuccessHandler 的构造函数,并且只设置 successHandler(successHandler).