Request enterprise/A, A is protected, and is not logged in, then jumps to the login page, and returns to A after login is complete,
But if the passport requests enterprise/B during the login process, then after the login is completed, it will jump to B instead of A
This problem is the reason for the large number of customer complaints today
==============================
Request resources - there is continuity in the login process, request B will overwrite the spring-security session and lastRequest, resulting in a jump to B after the login is completed
RequestCacheAwareFilter
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest wrappedSavedRequest = requestCache.getMatchingRequest((HttpServletRequest)request, (HttpServletResponse)response); chain.doFilter(wrappedSavedRequest == null ? request : wrappedSavedRequest, response); }
HttpSessionRequestCache
public HttpServletRequest getMatchingRequest(HttpServletRequest request, HttpServletResponse response) { DefaultSavedRequest saved = (DefaultSavedRequest) getRequest(request, response); if (saved == null) { return null; } if (!saved.doesRequestMatch(request, portResolver)) { logger.debug("saved request doesn't match"); return null; } removeRequest(request, response); // After the lastRequest is taken out, it needs to be removed return new SavedRequestAwareWrapper(saved, request); }
------------------------
ExceptionTranslationFilter
protected void sendStartAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, AuthenticationException reason) throws ServletException, IOException { // SEC-112: Clear the SecurityContextHolder's Authentication, as the // existing Authentication is no longer considered valid SecurityContextHolder.getContext().setAuthentication(null); requestCache.saveRequest(request, response); logger.debug("Calling Authentication entry point."); authenticationEntryPoint.commence(request, response, reason); } public void setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler) { Assert.notNull(accessDeniedHandler, "AccessDeniedHandler required"); this.accessDeniedHandler = accessDeniedHandler; } public class HttpSessionRequestCache implements RequestCache { static final String SAVED_REQUEST = "SPRING_SECURITY_SAVED_REQUEST"; /** * Stores the current request, provided the configuration properties allow it. */ public void saveRequest(HttpServletRequest request, HttpServletResponse response) { if (requestMatcher.matches(request)) { DefaultSavedRequest savedRequest = new DefaultSavedRequest(request, portResolver); if (createSessionAllowed || request.getSession(false) != null) { // Store the HTTP request itself. Used by AbstractAuthenticationProcessingFilter // for redirection after successful authentication (SEC-29) request.getSession().setAttribute(SAVED_REQUEST, savedRequest); logger.debug("DefaultSavedRequest added to Session: " + savedRequest); } } else { logger.debug("Request not saved as configured RequestMatcher did not match"); } }
-------------------------------------
1 When requesting the login page, https requests the getLoggingInfo interface of enterprise, which covers the previous request for the home page.
After successful login, the result of getLoggingInfo is displayed
2 https packets are encrypted after they are captured