我正在尝试仅在登录时使用https。
问题是,当应用程序尝试从https切换到http时,我最终会被重定向到登录表单(就好像会话被破坏一样)。 当我在登出后使用session-fixation-protection =“none”时,当我点击登录时,它会在登录页面上重定向,然后再次点击登录。
注销后再点击后退按钮再次登录,这是错误的。
以下是我正在使用的配置:
<security:http auto-config="false" entry-point-ref="authenticationProcessingFilterEntryPoint" session-fixation-protection="none">
<security:intercept-url pattern="/login.do*" access="ROLE_ANONYMOUS,ROLE_ADMIN_RESEARCHER,ROLE_ADMIN_SUPERVISOR,ROLE_ADMIN_ADMINISTRATOR" requires-channel="https"/>
<security:intercept-url pattern="/j_spring_security*" access="ROLE_ANONYMOUS,ROLE_ADMIN_RESEARCHER,ROLE_ADMIN_SUPERVISOR,ROLE_ADMIN_ADMINISTRATOR" requires-channel="https"/>
<security:intercept-url pattern="/assets/**" filters="none"/>
<security:intercept-url pattern="/change_password.do/*" filters="none"/>
<security:intercept-url pattern="/forgot_password.do*" filters="none"/>
<security:intercept-url pattern="/upload_tracking.do**" access="ROLE_ADMIN_SUPERVISOR"/>
<security:intercept-url pattern="/company_alias.do*" access="ROLE_ADMIN_ADMINISTRATOR" requires-channel="http"/>
<security:intercept-url pattern="/contacts.do*" access="ROLE_ADMIN_ADMINISTRATOR" requires-channel="http"/>
<security:intercept-url pattern="/technology.do*" access="ROLE_ADMIN_ADMINISTRATOR" requires-channel="http"/>
<security:intercept-url pattern="/technologyProduct.do*" access="ROLE_ADMIN_ADMINISTRATOR" requires-channel="http"/>
<security:intercept-url pattern="/technologyKeyword.do*" access="ROLE_ADMIN_ADMINISTRATOR" requires-channel="http"/>
<security:intercept-url pattern="/services.do*" access="ROLE_ADMIN_ADMINISTRATOR" requires-channel="http"/>
<security:intercept-url pattern="/services.do*" access="ROLE_ADMIN_ADMINISTRATOR" requires-channel="http"/>
<security:intercept-url pattern="/subscriptions.do*" access="ROLE_ADMIN_ADMINISTRATOR" requires-channel="http"/>
<security:intercept-url pattern="/reports.do*" access="ROLE_ADMIN_ADMINISTRATOR" requires-channel="http"/>
<security:intercept-url pattern="/goCsvUpload" access="ROLE_ADMIN_ADMINISTRATOR" requires-channel="http"/>
<security:intercept-url pattern="/admin_user.do*" access="ROLE_ADMIN_ADMINISTRATOR" requires-channel="http"/>
<security:intercept-url pattern="/**" access="ROLE_ADMIN_RESEARCHER,ROLE_ADMIN_SUPERVISOR,ROLE_ADMIN_ADMINISTRATOR" requires-channel="http"/>
<security:form-login login-page="/login.do" default-target-url="/home.do"
login-processing-url="/j_spring_security_check.do"
always-use-default-target="false"
authentication-failure-url="/login.do?login_error=1"/>
<security:anonymous/>
<!-- remember-me default is two weeks, alter attribute token-validity-seconds if needed -->
<security:remember-me/>
<security:logout logout-url="/logout.do" logout-success-url="/login.do?logout=ok"/>
</security:http>
<security:authentication-provider user-service-ref="userDetailsService">
<security:password-encoder ref="passwordEncoder">
<!-- Very important! id is used as salt also by the registration process -->
<!-- Cannot use username because it might contain braces, forbidden by the std salt generator -->
<security:salt-source user-property="id"/>
</security:password-encoder>
</security:authentication-provider>
<bean id="passwordEncoder" class="org.springframework.security.providers.encoding.ShaPasswordEncoder"/>
<bean id="passwordGenerator" class="com.salebuild.util.PasswordGenerator"/>
<context:component-scan base-package="com.salebuild.security">
<context:include-filter type="annotation"
expression="org.springframework.stereotype.Service"/>
</context:component-scan>
<security:global-method-security secured-annotations="enabled"/>
<bean class="java.lang.Boolean" id="customerAuthentication">
<constructor-arg value="false"/>
</bean>
<tx:annotation-driven/>