我正在努力了解spring-web安全性。为此我创建了一个带有登录页面和两个不同用户的Web应用程序。
LoginController类处理三种类型的URL。
/*
Used to guide the user to login page
*/
@RequestMapping(value="/login/login.htm", method=RequestMethod.GET)
public ModelAndView login(){
ModelAndView modelAndView = new ModelAndView("login");
System.out.println("Rendering login page.................");
return modelAndView;
}
/*
Process the successful login and redirects user to Admin/User page as per the role.
*/
@RequestMapping(value="/login/success")
public ModelAndView loginSuccess(HttpServletRequest request){
ModelAndView modelAndView = new ModelAndView();
Set<String> roles = AuthorityUtils
.authorityListToSet(SecurityContextHolder.getContext()
.getAuthentication().getAuthorities());
System.out.println("ROLES: "+roles);
if(roles.contains("USER_ADMIN")){
modelAndView.setViewName("admin");
}else{
modelAndView.setViewName("user");
}
return modelAndView;
}
/*
Admin page has a hyper link to access the manage user page. It is handled here.
*/
@RequestMapping(value="/admin/manageUser.htm", method=RequestMethod.GET)
public ModelAndView manageUser(){
ModelAndView modelAndView = new ModelAndView("manageUser");
return modelAndView;
}
的web.xml
<context-param> <param-name>contextConfigLocation</param-name> <param-value>/WEB-INF/SecurityConfig.xml</param-value> </context-param> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <servlet> <servlet-name>mvc-dispatcher</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>mvc-dispatcher</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> <!-- Spring Security --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
在春季安全措施中,我限制所有网址使用&#39; admin / &#39; &安培; &#39;的用户/ &#39;
<http auto-config="true"> <intercept-url pattern="/admin/**" access="hasRole('USER_ADMIN')"/> <intercept-url pattern="/user/**" access="hasRole('USER_GUEST')"/> <form-login login-page="/login/login.htm" username-parameter="userName" password-parameter="password" login-processing-url="/j_spring_security_check" authentication-success-forward-url="/login/success"/> <remember-me/> </http> <authentication-manager> <authentication-provider> <user-service> <user name="renju" password="12345" authorities="USER_ADMIN"/> <user name="guest" password="guest" authorities="USER_GUEST"/> </user-service> </authentication-provider> </authentication-manager>
当我尝试&#39; http://localhost:8080/SpringWebSecurityThree-0.0.1-SNAPSHOT/login/login.htm&#39;时,应用程序会打开自定义登录页面。
在提供管理员用户名和密码后,应用程序会打开管理页面。
现在当我点击&#39; ManageUser&#39;时,我希望应用程序能够将我带到管理用户页面。但它表示“拒绝访问”。
我认为它与拦截网址有关。
你能帮我解决这个问题吗?
我也在发布jsp页面..
的login.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
<c:if test="${not empty error}">
<c:out value="${error}"></c:out>
</c:if>
<form action="../j_spring_security_check" method="post">
<table>
<tr>
<td>UserName</td>
<td><input type="text" name="userName"></td>
</tr>
<tr>
<td>Password</td>
<td><input type="password" name="password"></td>
</tr>
<tr>
<td><input type="submit" name="LOGIN"></td>
</tr>
</table>
<input type="hidden" name="${_csrf.parameterName}"
value="${_csrf.token}" />
</form>
</body>
</html>
admin.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<%@ page session="true" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
Admin Page !!!!!!!!!!
<a href="${pageContext.request.contextPath}/admin/manageUser.htm">ManageUser</a>
<% session.setAttribute("userType", "admin"); %>
</body>
</html>
manageuser.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<%@ page session="true" %>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
Managing User....
<br/>
Logged In UserType:
<%
out.println(session.getAttribute("userType"));
%>
</body>
</html>
答案 0 :(得分:0)
您正在使用create-session =&#34; never&#34;这将需要做&#34;重新认证&#34;对于你的每个要求。
<http auto-config="true" create-session="never">
<intercept-url pattern="/admin/**" access="hasRole('USER_ADMIN')"/>
<intercept-url pattern="/user/**" access="hasRole('USER_GUEST')"/>
<form-login login-page="/login/login.htm"
username-parameter="userName" password-parameter="password"
login-processing-url="/j_spring_security_check"
authentication-success-forward-url="/login/success"/>
<remember-me/>
</http>
这通常用于不支持或实现基于cookie /会话的身份验证的情况。确保确定您的策略。