intercept-url spring security无法通过自定义登录

时间:2017-08-19 00:35:41

标签: java spring security spring-security

我试图通过html登录页面验证代码中定义的用户,这是我的配置。

<security:http auto-config="true">

 <security:intercept-url pattern="/**" access="hasRole('ROLE_Usuario')" />

 <security:form-login
        login-page="/login"
        default-target-url="/inicio"
        authentication-failure-url="/login"
        username-parameter="nombreUsuario"
        password-parameter="contrasena" />
        <security:logout logout-success-url="/login" />         

 </security:http>

 <security:authentication-manager>
 <security:authentication-provider>
 <security:user-service>
 <security:user name="manuel" password="1234" authorities="ROLE_Usuario" />
 </security:user-service>
 </security:authentication-provider>
 </security:authentication-manager>

如果我使用pattern =&#34; / &#34;我无法登录jsp和控制器从来没有得到请求因为403错误,如果我把pattern = / inicio / 这是登录后的第一页应用程序只是保护/ inicio而没有其他页面旁边的那个login.jsp没有正确验证。

有人可以解释一下如何保护我的页面,让公共逻辑和资源保持正确,以便页面可以正确获取javascript和css文件,并且应用程序可以进行身份​​验证过程。

我想为spring安全性添加一些内容我用dispatcherServlet配置它而不是ContextLoaderListener可能是这个问题吗?我会尝试并测试它。

2 个答案:

答案 0 :(得分:1)

您可以在经过身份验证的用户的拦截器之前为匿名用户访问添加拦截器。

在此示例中,/inicio具有permitAll,这意味着任何用户都可以访问它。 (把这个拦截器放在最上面)

 <security:intercept-url pattern="/inicio" access="permitAll()" />

现在也将为所有用户访问/resoruces/**。 (将此拦截器作为第二个拦截器),假设您有一个资源文件夹,其中包含.js和.css文件。

 <security:intercept-url pattern="/resources/**" access="permitAll()" />

在此之后,私有访问,Spring Security将按照您放置拦截器的顺序进行评估。

 <security:intercept-url pattern="/**" access="hasRole('ROLE_Usuario')" />

答案 1 :(得分:1)

这是一个完整的工作方法,请查看它是否有助于您获得解决方案:

<强>的pom.xml 

r = requests.head('http://www.example.com')

web.xml ,请确保您的springSecurityFilterChain在您的web.xml上,如下所示:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>com.spring.security.demoxml</groupId>
    <artifactId>xml-spring-security-demo</artifactId>
    <version>1.0-SNAPSHOT</version>
    <packaging>war</packaging>
    <properties>
        <spring.version>4.3.10.RELEASE</spring.version>
        <spring.security.version>4.2.3.RELEASE</spring.security.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-webmvc</artifactId>
            <version>${spring.version}</version>
        </dependency>

        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-web</artifactId>
            <version>${spring.security.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
            <version>${spring.security.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-core</artifactId>
            <version>${spring.security.version}</version>
        </dependency>

    </dependencies>


</project>

spring-servlet.xml Dispatcher servlet配置,我使用相同的调度程序servlet配置来放置所有的安全配置,当然不是上帝的做法,它只是一个例子。

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
         version="3.1">
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>WEB-INF/spring-servlet.xml</param-value>
    </context-param>
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    <servlet>
        <servlet-name>spring</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>spring</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>
</web-app>

MainController.java 主控制器有两个RequestMapping <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <context:component-scan base-package="com.mydemo.spring" ></context:component-scan> <security:http auto-config="true"> <security:intercept-url pattern="/index" access="permitAll()" /> <security:intercept-url pattern="/**" access="hasRole('ROLE_Usuario')"></security:intercept-url> <security:form-login authentication-success-forward-url="/private" default-target-url="/private" username-parameter="username" password-parameter="password"/> <security:logout logout-success-url="/login" logout-url="/logout"></security:logout> </security:http> <security:authentication-manager> <security:authentication-provider> <security:user-service> <security:user name="manuel" password="1234" authorities="ROLE_Usuario" /> </security:user-service> </security:authentication-provider> </security:authentication-manager> </beans> 用于公共访问,/index用于私有访问。

/private

Application.java(这里是内部资源视图解析器的配置)

package com.mydemo.spring.controller;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;

@Controller
public class MainController {

    @RequestMapping(value = "/index")
    public String main(){
        return "index";
    }

    @RequestMapping(value = "/private")
    public String getPrivate(){
        return "private";
    }
}

index.jsp(公共访问)

package com.mydemo.spring;


import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.DefaultServletHandlerConfigurer;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
import org.springframework.web.servlet.view.InternalResourceViewResolver;

@Configuration
@EnableWebMvc
public class Application extends WebMvcConfigurerAdapter
{

    @Bean
    public InternalResourceViewResolver getViewResolver(){
        InternalResourceViewResolver c = new InternalResourceViewResolver();
        c.setPrefix("/");
        c.setSuffix(".jsp");
        return c;
    }

    @Override
    public void configureDefaultServletHandling(DefaultServletHandlerConfigurer configurer){
        configurer.enable();

    }
}

login.jsp(登录页面)

<html lang="en">
<head>
    <meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
    <title>Document</title>
</head>
<body>
<h1>hi</h1>
</body>
</html>

private.jsp(私人部分)

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title>Login</title>
</head>
<body>
<form action="/login" method="post">
    <div><label> User Name : <input type="text" name="username"/> </label></div>
    <div><label> Password: <input type="password" name="password"/> </label></div>
    <div><input type="submit" value="Sign In"/></div>
</form>
</body>
</html>
相关问题
最新问题