Spring Security AuthenticationException 持久化?
我在一个项目中使用 Spring MVC 和 Spring Security,并用它实现一个登录表单。我遇到了一种奇怪的行为,这是我没有预料到的,我想知道是否有办法避免它。
当登录表单上出现身份验证错误时,我的控制器中有一个方法来处理它:
@RequestMapping(value="/failed", method = RequestMethod.GET)
public String showLoginFailurePage(Model model, HttpServletRequest request) {
String authExClass = "";
AuthenticationException authEx = (AuthenticationException) request.getSession().getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION);
if (authEx != null) {
authExClass = authEx.getClass().getSimpleName();
}
model.addAttribute("authExClass", authExClass);
return LOGIN_PAGE;
}
这最初有效,允许我在发生身份验证错误时显示错误。但是,如果我刷新页面,我希望 AuthenticationException 将不再附加到会话,因此我不会向用户显示错误。然而,似乎异常在刷新后仍然存在。我有一个错误的假设吗?我不应该以这种方式使用我的请求对象吗?
谢谢! 伊德本特利
I'm using Spring MVC and Spring Security on a project, and am implementing a login form with it. I've run into a sort of strange behaviour, which I wouldn't expect, and I was wondering if there is a way to avoid it.
When there is an authentication error on the login form, I have a method in my controller to handle it:
@RequestMapping(value="/failed", method = RequestMethod.GET)
public String showLoginFailurePage(Model model, HttpServletRequest request) {
String authExClass = "";
AuthenticationException authEx = (AuthenticationException) request.getSession().getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION);
if (authEx != null) {
authExClass = authEx.getClass().getSimpleName();
}
model.addAttribute("authExClass", authExClass);
return LOGIN_PAGE;
}
This works initially, allowing me to display an error when an authentication error occurs. However, if I refresh the page, I would expect that the AuthenticationException would no longer be attached to the session, and thus I wouldn't display an error to the user. However, it seems that the exception persists beyond a refresh. Do I have an incorrect assumption? Should I not be using my request object this way?
Thanks!
idbentley
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
那么,是否有代码从会话中清除
AUTHENTICATION_EXCEPTION? Spring Security 可能不会自动从会话中清除此属性,直到另一次授权尝试成功 - 我认为您假设此会话属性被自动删除。您可能需要自己从会话中清除此属性,以便不再显示它。
Well, does any code clear the
AUTHENTICATION_EXCEPTIONfrom the Session? Spring Security may not automatically clear this from the session until an another authorization attempt is successful - I think you are assuming that this session attribute is automatically removed.You may want to clear this attribute from the session yourself to not display it again.