Spring Web安全性：成功登录后无法访问页面

Question

我正在努力了解spring-web安全性。为此我创建了一个带有登录页面和两个不同用户的Web应用程序。

1. 管理
2. 用户/客户

LoginController类处理三种类型的URL。

/*
  Used to guide the user to login page
*/
@RequestMapping(value="/login/login.htm", method=RequestMethod.GET)
public ModelAndView login(){
    ModelAndView modelAndView = new ModelAndView("login");
    System.out.println("Rendering login page.................");
    return modelAndView;
}

/*
 Process the successful login and redirects user to Admin/User page as per the role.
*/
@RequestMapping(value="/login/success")
public ModelAndView loginSuccess(HttpServletRequest request){
    ModelAndView modelAndView = new ModelAndView();

     Set<String> roles = AuthorityUtils
                .authorityListToSet(SecurityContextHolder.getContext()
                        .getAuthentication().getAuthorities());
    System.out.println("ROLES: "+roles);

    if(roles.contains("USER_ADMIN")){
        modelAndView.setViewName("admin");
    }else{
        modelAndView.setViewName("user");
    }

    return modelAndView;
}

/* 
  Admin page has a hyper link to access the manage user page. It is handled here.
*/
@RequestMapping(value="/admin/manageUser.htm", method=RequestMethod.GET)
public ModelAndView manageUser(){
    ModelAndView modelAndView = new ModelAndView("manageUser");
    return modelAndView;
}

的web.xml

<context-param>
  <param-name>contextConfigLocation</param-name>
  <param-value>/WEB-INF/SecurityConfig.xml</param-value>
</context-param>

<listener>
  <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>


<servlet>
  <servlet-name>mvc-dispatcher</servlet-name>
  <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
  <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
  <servlet-name>mvc-dispatcher</servlet-name>
  <url-pattern>/</url-pattern>
</servlet-mapping>


<!-- Spring Security -->
<filter>
  <filter-name>springSecurityFilterChain</filter-name>
  <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

在春季安全措施中，我限制所有网址使用＆＃39; admin / ＆＃39; ＆安培; ＆＃39;的用户/ ＆＃39;

<http auto-config="true">
    <intercept-url pattern="/admin/**" access="hasRole('USER_ADMIN')"/>
    <intercept-url pattern="/user/**" access="hasRole('USER_GUEST')"/>
    <form-login login-page="/login/login.htm" 
        username-parameter="userName" password-parameter="password"
        login-processing-url="/j_spring_security_check"
        authentication-success-forward-url="/login/success"/>

    <remember-me/>

</http>

<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="renju" password="12345" authorities="USER_ADMIN"/>
            <user name="guest" password="guest"  authorities="USER_GUEST"/>
        </user-service>
    </authentication-provider>
</authentication-manager>

当我尝试＆＃39; http://localhost:8080/SpringWebSecurityThree-0.0.1-SNAPSHOT/login/login.htm＆＃39;时，应用程序会打开自定义登录页面。

在提供管理员用户名和密码后，应用程序会打开管理页面。



现在当我点击＆＃39; ManageUser＆＃39;时，我希望应用程序能够将我带到管理用户页面。但它表示“拒绝访问”。



我认为它与拦截网址有关。

你能帮我解决这个问题吗？

我也在发布jsp页面..

的login.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
    <c:if test="${not empty error}">
        <c:out value="${error}"></c:out>
    </c:if>
    <form action="../j_spring_security_check" method="post">

        <table>

            <tr>
                <td>UserName</td>
                <td><input type="text" name="userName"></td>
            </tr>
            <tr>
                <td>Password</td>
                <td><input type="password" name="password"></td>
            </tr>

                        <tr>
                <td><input type="submit" name="LOGIN"></td>
            </tr>
        </table>

        <input type="hidden" name="${_csrf.parameterName}"
            value="${_csrf.token}" />


    </form>

</body>
</html>

admin.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
    <%@ page session="true" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
    Admin Page !!!!!!!!!!
    <a href="${pageContext.request.contextPath}/admin/manageUser.htm">ManageUser</a>
    <% session.setAttribute("userType", "admin"); %>
</body>
</html>

manageuser.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<%@ page session="true" %>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
    Managing User....
    <br/>
    Logged In UserType: 
    <%
        out.println(session.getAttribute("userType"));
    %>
</body>
</html>

Answer 1

您正在使用create-session =＆＃34; never＆＃34;这将需要做＆＃34;重新认证＆＃34;对于你的每个要求。

<http auto-config="true" create-session="never">
  <intercept-url pattern="/admin/**" access="hasRole('USER_ADMIN')"/>
  <intercept-url pattern="/user/**" access="hasRole('USER_GUEST')"/>
  <form-login login-page="/login/login.htm" 
     username-parameter="userName" password-parameter="password"
     login-processing-url="/j_spring_security_check"
     authentication-success-forward-url="/login/success"/>

  <remember-me/>
</http>

这通常用于不支持或实现基于cookie /会话的身份验证的情况。确保确定您的策略。