我基本上在this post之后在我的服务器上实现了登录功能:
player.stop()
到目前为止,这似乎没有任何麻烦。但是,如果我在登录后立即执行此请求
@Transactional
public void login(String userId, String password) {
LOGGER.debug("Login for " + userId);
User user = new User(userId, password, true, true, true, true, new ArrayList<GrantedAuthority>());
Authentication auth = new UsernamePasswordAuthenticationToken(user, password,
new ArrayList<GrantedAuthority>());
try {
auth = this.authenticationProvider.authenticate(auth);
} catch(BadCredentialsException e) {
LOGGER.debug("Bad credentials ..");
throw new RuntimeException(e.getMessage());
}
LOGGER.debug("User successfully authenticated [userId="+userId+"]");
SecurityContext sc = new SecurityContextImpl();
sc.setAuthentication(auth);
SecurityContextHolder.setContext(sc);
}
结果是这里的例外:
@PreAuthorize("hasPermission('ADMIN')")
public void test(String msg) {
LOGGER.debug("test: " + msg);
}
阅读Caused by: org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:378)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:222)
at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:64)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:653)
at com.mz.server.web.service.LoginService$$EnhancerBySpringCGLIB$$caf0e62d_2.test(<generated>)
at com.mz.server.web.servlet.LoginServletImpl.test(LoginServletImpl.java:99)
它说:
将新
SecurityContextHolder.setContext()与当前执行线程关联。
所以我想我的问题是我不明白Spring如何回忆刚刚登录我系统的用户,现在想继续进行经过身份验证的请求。
为什么我不只是被重定向到SecurityContext?
春天上下文:
/login的web.xml
<!-- //////////////////////////////////////////////////////////////////////////////// -->
<!-- // BEGIN Spring Security -->
<sec:http auto-config="true" use-expressions="true"/>
<bean id="httpSessionSecurityContextRepository" class='org.springframework.security.web.context.HttpSessionSecurityContextRepository'>
<property name='allowSessionCreation' value='false' />
</bean>
<bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
<constructor-arg ref="httpSessionSecurityContextRepository" />
</bean>
<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<constructor-arg>
<list>
<sec:filter-chain pattern="/**" filters="securityContextPersistenceFilter" />
</list>
</constructor-arg>
</bean>
<bean id="authenticationListener" class="com.mz.server.web.auth.CustomAuthenticationListener"/>
<bean id="authenticationProvider" class="com.mz.server.web.auth.CustomAuthenticationProvider"/>
<bean id="userDetailsService" class="com.mz.server.web.service.CustomUserDetailsService"/>
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider ref="authenticationProvider"/>
</sec:authentication-manager>
<sec:global-method-security
authentication-manager-ref="authenticationManager"
pre-post-annotations="enabled"/>
<!-- // END Spring Security -->
<!-- //////////////////////////////////////////////////////////////////////////////// -->
答案 0 :(得分:4)
我知道你的痛苦,我有一段时间搞清楚Spring Security。真的在争论它是否值得。但是您可能需要添加SecurityContextPersistenceFilter。这将通常使用JSessionID中的HttpSession自动将您的凭据添加到SecurityContext。我有一个自定义身份验证处理程序,所以我的代码中有一些额外的部分是不相关的,但我认为这可能会让你指向正确的方向。
{{1}}