其他分享
首页 > 其他分享> > Spring Security SavedRequestAwareAuthenticationSuccessHandler类

Spring Security SavedRequestAwareAuthenticationSuccessHandler类

作者:互联网

SavedRequestAwareAuthenticationSuccessHandler类是SpringSecurity提供的登录成功处理器,登录成功后该处理器会从Session中获取认证之前访问的url,然后将用户重定向到该url地址,

  1. 设置认证之前的url

    RequestCache.java

    	/**
    	 * Caches the current request for later retrieval, once authentication has taken
    	 * place. Used by <tt>ExceptionTranslationFilter</tt>.
    	 * @param request the request to be stored
    	 */
    	void saveRequest(HttpServletRequest request, HttpServletResponse response);
    
    	/**
    	 * Returns the saved request, leaving it cached.
    	 * @param request the current request
    	 * @return the saved request which was previously cached, or null if there is none.
    	 */
    	SavedRequest getRequest(HttpServletRequest request, HttpServletResponse response);
    
    	/**
    	 * Returns a wrapper around the saved request, if it matches the current request. The
    	 * saved request should be removed from the cache.
    	 * @param request
    	 * @param response
    	 * @return the wrapped save request, if it matches the original, or null if there is
    	 * no cached request or it doesn't match.
    	 */
    	HttpServletRequest getMatchingRequest(HttpServletRequest request, HttpServletResponse response);
    
    	/**
    	 * Removes the cached request.
    	 * @param request the current request, allowing access to the cache.
    	 */
    	void removeRequest(HttpServletRequest request, HttpServletResponse response);
    

    在spring security中RequestCache有三个默认实现,HttpSessionRequestCache通过session存储前一次请求信息、NullRequestCache一般禁用session的情况下使用,不会存储前一次请求信息、CookieRequestCache使用cookie存储前一次请求信息。

    ExceptionTranslationFilter.java

    private void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
    			throws IOException, ServletException {
    		try {
    			chain.doFilter(request, response);
    		}
    		catch (IOException ex) {
    			throw ex;
    		}
    		catch (Exception ex) {
    			// Try to extract a SpringSecurityException from the stacktrace
    			Throwable[] causeChain = this.throwableAnalyzer.determineCauseChain(ex);
    			RuntimeException securityException = (AuthenticationException) this.throwableAnalyzer
    					.getFirstThrowableOfType(AuthenticationException.class, causeChain);
    			if (securityException == null) {
    				securityException = (AccessDeniedException) this.throwableAnalyzer
    						.getFirstThrowableOfType(AccessDeniedException.class, causeChain);
    			}
    			if (securityException == null) {
    				rethrow(ex);
    			}
    			if (response.isCommitted()) {
    				throw new ServletException("Unable to handle the Spring Security Exception "
    						+ "because the response is already committed.", ex);
    			}
    			handleSpringSecurityException(request, response, chain, securityException);
    		}
    	}
    
    protected void sendStartAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
    			AuthenticationException reason) throws ServletException, IOException {
    		// SEC-112: Clear the SecurityContextHolder's Authentication, as the
    		// existing Authentication is no longer considered valid
    		SecurityContext context = SecurityContextHolder.createEmptyContext();
    		SecurityContextHolder.setContext(context);
    		this.requestCache.saveRequest(request, response);
    		this.authenticationEntryPoint.commence(request, response, reason);
    	}
    

    ExceptionTranslationFilter在捕获身份认证异常之后会调用requestCache将此次请求存储,以便登录成功后由SavedRequestAwareAuthenticationSuccessHandler调用此次请求信息,并重定向到url。

  2. 重定向到认证前url

    SavedRequestAwareAuthenticationSuccessHandler.java

    private RequestCache requestCache = new HttpSessionRequestCache();
    
    	@Override
    	public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
    			Authentication authentication) throws ServletException, IOException {
    		SavedRequest savedRequest = this.requestCache.getRequest(request, response);
    		if (savedRequest == null) {
    			super.onAuthenticationSuccess(request, response, authentication);
    			return;
    		}
    		String targetUrlParameter = getTargetUrlParameter();
    		if (isAlwaysUseDefaultTargetUrl()
    				|| (targetUrlParameter != null && StringUtils.hasText(request.getParameter(targetUrlParameter)))) {
    			this.requestCache.removeRequest(request, response);
    			super.onAuthenticationSuccess(request, response, authentication);
    			return;
    		}
    		clearAuthenticationAttributes(request);
    		// Use the DefaultSavedRequest URL
    		String targetUrl = savedRequest.getRedirectUrl();
    		getRedirectStrategy().sendRedirect(request, response, targetUrl);
    	}
    

    在SavedRequestAwareAuthenticationSuccessHandler源码中有一个RequestCache属性,在登录成功后会调用RequestCache.getRequest获取前一次请求信息然后重定向到该url。

  3. 自定义RequestCache

    public class RedisRequestCache implements RequestCache {
    
    
        static final String SAVED_REQUEST = "SPRING_SECURITY_SAVED_REQUEST";
    
        protected final Log logger = LogFactory.getLog(this.getClass());
    
        private PortResolver portResolver = new PortResolverImpl();
    
        private RequestMatcher requestMatcher = AnyRequestMatcher.INSTANCE;
    
        private String sessionAttrName = SAVED_REQUEST;
    
        @Autowired
        private RedisCache redisCache;
    
        /**
         * Stores the current request, provided the configuration properties allow it.
         */
        @Override
        public void saveRequest(HttpServletRequest request, HttpServletResponse response) {
            if (!this.requestMatcher.matches(request)) {
                if (this.logger.isTraceEnabled()) {
                    this.logger.trace(
                            LogMessage.format("Did not save request since it did not match [%s]", this.requestMatcher));
                }
                return;
            }
            String redirectUrl = UrlUtils.buildFullRequestUrl(request);
            // DefaultSavedRequest savedRequest = new DefaultSavedRequest(request, this.portResolver);
            redisCache.setCacheObject(this.sessionAttrName, encodeCookie(redirectUrl));
        }
    
        @Override
        public SavedRequest getRequest(HttpServletRequest currentRequest, HttpServletResponse response) {
            String originalURI = redisCache.getCacheObject(this.sessionAttrName);
            if (StringUtils.isEmpty(originalURI)) {
                return null;
            }
            // var str = JSON.toJSONString(originalURI);
            UriComponents uriComponents = UriComponentsBuilder.fromUriString(decodeCookie(originalURI)).build();
            DefaultSavedRequest.Builder builder = new DefaultSavedRequest.Builder();
            int port = getPort(uriComponents);
            return builder.setScheme(uriComponents.getScheme()).setServerName(uriComponents.getHost())
                    .setRequestURI(uriComponents.getPath()).setQueryString(uriComponents.getQuery()).setServerPort(port)
                    .setMethod(currentRequest.getMethod()).build();
            // return JSON.parseObject(str, SavedRequest.class);
            // return (SavedRequest) savedRequest;
        }
    
        @Override
        public void removeRequest(HttpServletRequest currentRequest, HttpServletResponse response) {
            redisCache.deleteObject(this.sessionAttrName);
        }
    
        @Override
        public HttpServletRequest getMatchingRequest(HttpServletRequest request, HttpServletResponse response) {
            SavedRequest saved = getRequest(request, response);
            if (saved == null) {
                this.logger.trace("No saved request");
                return null;
            }
            if (!matchesSavedRequest(request, saved)) {
                if (this.logger.isTraceEnabled()) {
                    this.logger.trace(LogMessage.format("Did not match request %s to the saved one %s",
                            UrlUtils.buildRequestUrl(request), saved));
                }
                return null;
            }
            removeRequest(request, response);
            if (this.logger.isDebugEnabled()) {
                this.logger.debug(LogMessage.format("Loaded matching saved request %s", saved.getRedirectUrl()));
            }
            return request;
        }
    
        private boolean matchesSavedRequest(HttpServletRequest request, SavedRequest savedRequest) {
            if (savedRequest instanceof DefaultSavedRequest) {
                DefaultSavedRequest defaultSavedRequest = (DefaultSavedRequest) savedRequest;
                return defaultSavedRequest.doesRequestMatch(request, this.portResolver);
            }
            String currentUrl = UrlUtils.buildFullRequestUrl(request);
            return savedRequest.getRedirectUrl().equals(currentUrl);
        }
    
        private int getPort(UriComponents uriComponents) {
            int port = uriComponents.getPort();
            if (port != -1) {
                return port;
            }
            if ("https".equalsIgnoreCase(uriComponents.getScheme())) {
                return 443;
            }
            return 80;
        }
    
        private static String encodeCookie(String cookieValue) {
            return Base64.getEncoder().encodeToString(cookieValue.getBytes());
        }
    
        private static String decodeCookie(String encodedCookieValue) {
            return new String(Base64.getDecoder().decode(encodedCookieValue.getBytes()));
        }
    
        public void setRequestMatcher(RequestMatcher requestMatcher) {
            this.requestMatcher = requestMatcher;
        }
    
        public void setPortResolver(PortResolver portResolver) {
            this.portResolver = portResolver;
        }
    
        public void setSessionAttrName(String sessionAttrName) {
            this.sessionAttrName = sessionAttrName;
        }
    
    }
    
    @Override
    public void configure(HttpSecurity http) throws Exception {
      http.requestCache(httpSecurityRequestCacheConfigurer -> {
        httpSecurityRequestCacheConfigurer.requestCache(redisRequestCache());
      });
    }
    

    自定义登录成功处理器需要手动配置自定义的RequestCache。

标签:HttpServletRequest,return,String,Spring,request,SavedRequestAwareAuthenticationS
来源: https://www.cnblogs.com/yourblog/p/16322589.html