有没有办法,如何确定使用Spring 3 MVC + Spring security时是否有人已登录?这是我的安全背景:
<beans xmlns:security="http://www.springframework.org/schema/security"
xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:http pattern="/resources/**" security="none"/>
<security:http pattern="/login*" security="none" auto-config="true"/>
<security:http pattern="/denied" security="none"/>
<security:http auto-config="true" access-denied-page="/denied" servlet-api-provision="false">
<security:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-url pattern="/edit/**" access="ROLE_EDIT"/>
<security:intercept-url pattern="/admin/**" access="ROLE_ADMIN"/>
<security:intercept-url pattern="/**" access="ROLE_USER"/>
<security:form-login login-page="/login" authentication-failure-url="/denied"
default-target-url="/"/>
<security:logout/>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="adam" password="adampassword" authorities="ROLE_USER"/>
<security:user name="jane" password="janepassword" authorities="ROLE_USER, ROLE_ADMIN"/>
<security:user name="sue" password="suepassword" authorities="ROLE_USER, ROLE_EDIT"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
我可以通过
在主页上确定它<%
User user = (User) SecurityContextHolder.getContext()
.getAuthentication().getPrincipal();
String username = user.getUsername();
%>
然而,在登录页面上它会生成nullpointer异常..: - /
当有人已经登录并且有人试图再次登录时,浏览器会转到myurl.com/home页面,我收到404错误,因为正确的地址应该只是myurl.com/。当没有人登录时,浏览器会重定向到正确的地址。任何想法可能是一个错误?
我的jsp页面:
<%@ page import="org.springframework.security.core.userdetails.User"%>
<%@ page import="org.springframework.security.core.context.SecurityContextHolder"%>
<%@ page import="java.util.Collection"%>
<%@ page import="javax.swing.text.AbstractDocument"%>
<%@ page import="org.springframework.security.core.GrantedAuthority"%>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
</head>
<body>
<div class="form">
<form name="f" action="j_spring_security_check" method="post">
<input type="text" id="username" class="input-block-level"
name="j_username" placeholder="Username"> <input
type="password" id="password" name="j_password"
class="input-block-level" placeholder="Password">
<button class="btn btn-large btn-primary" type="submit">Sign
in</button>
</form>
</div>
</body>
</html>
答案 0 :(得分:4)
Spring Security包含一个JSP标记库,可以通过下一个代码导入:
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
使用导入的,您可以使用jsp标签“sec”(用于安全性),
<sec:authorize access="isAuthenticated()">
... <!-- Code or message to show when user is authenticated -->
</sec:authorize>
在标记内,您可以运行某些代码,显示标记或HTML。
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/taglibs.html
答案 1 :(得分:3)
在jsp中你可以使用
第一个问题:
<sec:authorize access="isAuthenticated()">
the user has logged in
</sec:authorize>
第二个问题:
当某个已登录的机构直接请求登录页面时,您会收到404错误,因为您限制了对此页面的访问权限:
<security:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
一种解决方案是使用permitAll访问限制,并在jsp中为已经登录的用户发布一些通知:
<security:intercept-url pattern="/login*" access="permitAll"/>
的login.jsp
<sec:authorize access="isAuthenticated()">
you already logged in.
</sec:authorize>