如何允许转发到具有 Spring 安全性的外部 URL

How to permit forwarding to external URL with Spring Security

我想知道如何让我的 "redirect:" 与 Spring 安全一起工作。 所有 /auth* 路径都可以正常工作。但是当它到达 [1] 时它就不会重定向。 Spring 安全 4.0.2.RELEASE、Spring MVC 4.0.8.RELEASE

@Controller
@RequestMapping(value = "/auth")
public class SomeAuthController {

    @RequestMapping(value = "/external")
    public String externalAuth(...) {
        if(someCondition) return "redirect:" + someExternalUrl; // [1] https://external-service.com 
        else return "redirect:/"
    }

}



@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {


    @Autowired 
    public void registerGlobalAuthentication(AuthenticationManagerBuilder auth, 
                                             ShaPasswordEncoder shaPasswordEncoder,
                                             List<AuthenticationProvider> authProviders)
                                                                throws Exception {
        for(AuthenticationProvider provider : authProviders) auth.authenticationProvider(provider);
    }

    @Bean(name="myAuthenticationManager")
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests().antMatchers("/resources/**").permitAll();

        http.authorizeRequests().antMatchers("/auth/**", "/").permitAll().anyRequest().authenticated();

        http.formLogin()
                .loginPage("/auth/login")
                .loginProcessingUrl("/j_spring_security_check")
                .usernameParameter("j_username")
                .passwordParameter("j_password")
                .failureUrl("/auth/login?error")
                .permitAll();

        http.logout()
                .permitAll()
                .logoutUrl("/auth/logout")
                .logoutSuccessUrl("/")
                .invalidateHttpSession(true);
    }


}

好的伙计们。这是我的答案。希望它能帮助别人。 首先是在安全配置bean中启用JSR250。

@EnableGlobalMethodSecurity(securedEnabled = true, jsr250Enabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

之后我为包含重定向的方法添加了@PermitAll 注解。

@PermitAll
@RequestMapping(value = "/external")
public String externalAuth(...) {
    if(someCondition) return "redirect:" + someExternalUrl; // [1] https://external-service.com 
    else return "redirect:/"
}

就是这样。调试愉快 J