我正在尝试使用自定义登录表单来使用Spring Security 3.0。
默认登录表单可以正常使用下面的安全配置。然后我添加了form-login属性,创建了登录控制器和jsp页面来处理/ accounts / logIn URL,现在出现了这个问题:当我输入guest / guest凭据时,我被发送回logIn页面。
我在catalina.out日志中注意到的一件事是成功的检查是在/ j_security_check,而不成功的检查是在查看/ accounts / j_security_check。
这是我的security-config.xml:
<http auto-config="true" use-expressions="true">
<form-login login-page="/accounts/logIn" /><!--ADDED THIS AFTER TESTING DEFAULT LOGIN-->
<intercept-url pattern="/accounts/logIn" access="permitAll()"/>
<intercept-url pattern="/**" access="isAuthenticated()"/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user authorities="ROLE_USER" name="guest" password="guest"/>
</user-service>
</authentication-provider>
</authentication-manager>
以下是相似的catalina.out部分:
DEBUG: org.springframework.security.web.FilterChainProxy - Candidate is: '/accounts/j_spring_security_check'; pattern is /**; matched=true
DEBUG: org.springframework.security.web.FilterChainProxy - /accounts/j_spring_security_check?j_username=guest&j_password=guest at position 1 of 10 in additional filter\
chain; firing Filter: 'org.springframework.security.web.context.SecurityContextPersistenceFilter@8cbb423'
DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.sessi\
on.StandardSessionFacade@4679cf8c. A new one will be created.
DEBUG: org.springframework.security.web.FilterChainProxy - /accounts/j_spring_security_check?j_username=guest&j_password=guest at position 2 of 10 in additional filter\
chain; firing Filter: 'org.springframework.security.web.authentication.logout.LogoutFilter@5d49453c'
DEBUG: org.springframework.security.web.FilterChainProxy - /accounts/j_spring_security_check?j_username=guest&j_password=guest at position 3 of 10 in additional filter\
chain; firing Filter: 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@756095fc'
DEBUG: org.springframework.security.web.FilterChainProxy - /accounts/j_spring_security_check?j_username=guest&j_password=guest at position 4 of 10 in additional filter\
chain; firing Filter: 'org.springframework.security.web.authentication.www.BasicAuthenticationFilter@18170f98'
DEBUG: org.springframework.security.web.FilterChainProxy - /accounts/j_spring_security_check?j_username=guest&j_password=guest at position 5 of 10 in additional filter\
chain; firing Filter: 'org.springframework.security.web.savedrequest.RequestCacheAwareFilter@1200d083'
DEBUG: org.springframework.security.web.savedrequest.DefaultSavedRequest - pathInfo: both null (property equals)
DEBUG: org.springframework.security.web.savedrequest.DefaultSavedRequest - queryString: arg1=null; arg2=j_username=guest&j_password=guest (property not equals)
DEBUG: org.springframework.security.web.savedrequest.HttpSessionRequestCache - saved request doesn't match
DEBUG: org.springframework.security.web.FilterChainProxy - /accounts/j_spring_security_check?j_username=guest&j_password=guest at position 6 of 10 in additional filter\
chain; firing Filter: 'org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@737951b0'
DEBUG: org.springframework.security.web.FilterChainProxy - /accounts/j_spring_security_check?j_username=guest&j_password=guest at position 7 of 10 in additional filter\
chain; firing Filter: 'org.springframework.security.web.authentication.AnonymousAuthenticationFilter@49c06a6d'
DEBUG: org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.secur\
ity.authentication.AnonymousAuthenticationToken@6faaf9b0: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.securit\
y.web.authentication.WebAuthenticationDetails@ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: 0560416CA2D07AFF3040E75867157A95; Granted Authorities: ROLE_ANON\
YMOUS'
答案 0 :(得分:4)
应该发生的是,您的表单应该捕获用户名和密码,然后在j_spring_security_check入口点POST作为参数的凭据; e.g。
/accounts/j_spring_security_check?j_username=guest&j_password=guest
然后应该检查它们,如果它们是正确的,请将详细信息添加到用户的会话中,然后重定向回到用户首先尝试访问的页面。
但是,看起来过滤器链正在重定向j_spring_security_check网址的请求。
我可以想到两个可能的原因:
安全检查网址"/accounts/j_spring_security_check"可能不正确。您可以尝试使用"/j_spring_security_check"。
已配置<intercept-url>元素,以便对安全检查URL的请求需要某些权限。 (在这种情况下,"/**"的catch-all元素似乎是问题所在。)这是不正确的。您需要配置<intercept-url>元素,以便在请求者匿名时允许对安全检查URL的请求。
答案 1 :(得分:0)
登录页面似乎将您重定向回登录页面。您可以使用default-target-url元素上的form-login属性来指定登录后页面的去向。
例如,
<form-login default-target-url="/accounts/home" login-page="accounts/logIn" />