我正在使用Spring Security 5.1.1。我正在尝试为我的应用程序创建两个安全入口点:一个用于REST,另一个用于应用程序的安全url。我通过为authenticationManager实现CustomAuthenticationProvider创建了AuthenticationProvider。
我正在遵循中的示例:
Spring Security for a REST API和
Spring Security – Two Security Realms in one Application
但是在登录页面上,当我输入用户名和密码时,它根本没有命中CustomAuthenticationProvider.authenticate()方法,而是进入了logout.html。
以下是我的http的xml代码段:
<!-- Configuration for API -->
<security:http entry-point-ref="restAuthEntryPoint" pattern="/api/**" use-expressions="true">
<intercept-url pattern="/api/**" access="hasAnyRole('ROLE_DRIVER','ROLE_PARENT') and isAuthenticated()"/>
<intercept-url pattern="/api/driver/**" access="hasRole('ROLE_DRIVER') and isAuthenticated()"/>
<intercept-url pattern="/api/parent/**" access="hasRole('ROLE_PARENT') and isAuthenticated()"/>
<form-login
authentication-success-handler-ref="apiSuccessHandler"
authentication-failure-handler-ref="apiFailureHandler" />
<custom-filter ref="apiAuthenticationFilter" after="BASIC_AUTH_FILTER" />
<logout />
</security:http>
<beans:bean id="apiAuthenticationFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
<beans:constructor-arg name="authenticationEntryPoint" ref="restAuthEntryPoint"/>
<beans:constructor-arg name="authenticationManager" ref="authenticationManager"/>
</beans:bean>
<beans:bean id="restAuthEntryPoint"
class="com.main.sts.api.security.RestAuthenticationEntryPoint"/>
<beans:bean id="apiSuccessHandler"
class="com.main.sts.api.security.MySavedRequestAwareAuthenticationSuccessHandler"/>
<beans:bean id="apiFailureHandler" class=
"org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"/>
<!-- Configuration for Rest-API finished-->
<security:http auto-config="true" use-expressions="true" authentication-manager-ref="authenticationManager">
<intercept-url pattern="/school_admin/*"
access="hasAnyRole('ROLE_SCHOOLADMIN','ROLE_GUEST','ROLE_SCHOOLTEACHER','ROLE_PARENT')" />
<form-login login-page="/login" authentication-failure-url="/loginfailed"/>
<!-- <custom-filter before="FORM_LOGIN_FILTER" ref="userAuthenticationProcessingFilter" /> -->
<logout invalidate-session="true" logout-success-url="/logout" />
<access-denied-handler error-page="/404" />
<session-management invalid-session-url="/logout.html">
</session-management>
<sec:headers >
<sec:cache-control />
<sec:hsts/>
</sec:headers>
</security:http>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="customAuthenticationProvider" />
</authentication-manager>
<beans:bean id="customAuthenticationProvider" class="com.main.sts.util.CustomAuthenticationProvider">
<beans:property name="loginService" ref="loginService" />
</beans:bean>
即使我注释掉了REST-api的配置,我仍然不会碰到该类。
这是我的CustomAuthenticationProvider:
@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {
@Override
public Authentication authenticate(Authentication authentication) {
// **I never hit this class**
}
@Override
public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
过滤器已在web.xml中正确定义:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
springSecurityFilterChain / *
在登录jsp中,我设置了如下表格:
<form class="form-vertical login-form" name='f' action="<c:url value='j_spring_security_check' />" method="post">
我无法访问安全的URL,它带我进入登录页面;这意味着-此过滤器有效。但是为什么我不能点击CustomAuthenticationProvider?为什么要转到logout.html ???
我也尝试过实现自定义过滤器(最终将authenticationManager设置为属性);但仍然没有运气。
我还检查了日志文件,但其中没有任何内容。
顺便说一句,如果我尝试通过curl访问,我会得到Http status 403 (forbidden). The server understood the request but refuses to authorize it.
curl -i -X POST -d username=admin -d password=Admin123 http://localhost:8080/sts/api/login
请帮助我找出问题所在。
答案 0 :(得分:0)
Alhamdulillah,我终于找到了问题。我最初开始的代码库是在Spring 2.5上实现的。我已经将Spring版本升级到5.1。基本上/ j_spring_security_check,j_username和j_password已被弃用。 现在,我已经相应地更改了我的jsp,并且现在可以使用了。
没有任何错误或警告消息很奇怪。