春のセキュリティに問題がありSwitchUserFilter
ます。ADMIN ロールでログインすると、ユーザーを切り替えて元に戻すことができます。問題は、ユーザーを 2 回目に切り替えると、元に戻せないように見えることです。ブラウザで /secured/switch/back に直接アクセスすると、これがログに表示されます。
[FilterChainProxy] : /secured/admin at position 1 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
...
[AbstractSecurityInterceptor] : Secure object: FilterInvocation: URL: /secured/admin; Attributes: [hasRole('ADMIN')]
[AbstractSecurityInterceptor] : Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@99f3cebe: Principal: harry [OTHER]; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 756CEC9064C2B1B4D788624786F26137; Granted Authorities: OTHER, Switch User Authority [ROLE_PREVIOUS_ADMINISTRATOR,org.springframework.security.authentication.UsernamePasswordAuthenticationToken@6b846d6c: Principal: max [ADMIN]; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe9938: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 26B09EEF635C1758BE96B86AB6354434; Granted Authorities: ADMIN]
[AffirmativeBased] : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@3e35ec54, returned: -1
[ExceptionTranslationFilter] : Access is denied (user is not anonymous); delegating to AccessDeniedHandler
通常、ユーザーが構成され/secured/switch/back
た URLを使用して元に戻すと、 は URL /secured/switch/backFilterChainProxy
のリクエストのフィルタリングを開始します。ただし、2 回目は URL が/secured/adminに変更され、許可が拒否されます。
誰かがここで何が起こっているのか手がかりを持っていますか?
次の構成があります。
<beans:bean id="switchUserProcessingFilter"
class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
<beans:property name="userDetailsService" ref="org.example.CustomUserDetailsService"/>
<beans:property name="switchUserUrl" value="/secured/admin/switch/user" />
<beans:property name="exitUserUrl" value="/secured/switch/back" />
<beans:property name="usernameParameter" value="username" />
<beans:property name="successHandler" ref="RedirectingAuthenticationSuccessHandler" />
</beans:bean>
<beans:bean id="authenticationSuccessHandler" class="org.example.RedirectingAuthenticationSuccessHandler" />
<http use-expressions="true" access-denied-page="/secured/access/denied" >
<custom-filter ref="switchUserProcessingFilter" position="SWITCH_USER_FILTER" />
<intercept-url pattern="/secured/login" access="permitAll()" />
<intercept-url pattern="/secured/login/auth" access="permitAll()" />
<intercept-url pattern="/secured/switch/back" access="hasAnyRole('ADMIN', 'OTHER')" />
<intercept-url pattern="/secured/admin/**" access="hasRole('ADMIN')" />
<intercept-url pattern="/secured/other/**" access="hasRole('OTHER')" />
<form-login
login-page='/secured/login'
login-processing-url="/secured/login/auth"
authentication-success-handler-ref="authenticationSuccessHandler"
username-parameter="username"
password-parameter="password"
/>
<logout logout-url="/secured/logout" logout-success-url="/secured/login" />
および成功ハンドラー
public class RedirectingAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
private static final Logger logger = LoggerFactory.getLogger(RedirectingAuthenticationSuccessHandler.class);
private static final RoleBasedRedirectStrategy redirectHandler = new RoleBasedRedirectStrategy();
/*
* Redirect request based on user role.
*
* For example:
* Role ADMIN redirects to /secured/admin
* Role OTHER redirects to /secured/other
*/
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws ServletException, IOException {
User user = (User) authentication.getPrincipal();
logger.info("Authentication successful for {}", user);
redirectHandler.handleRedirect(request, response, user);
}
}