我有一个Spring MVC网站(v5.1.2),并且正在开发具有基本身份验证的REST API。现在,我需要一些带有表单的页面来上传大文件,并且我想要一个登录表单来访问这些页面。
我正在使用Spring的默认登录表单,并且已经使用以下配置文件配置了我的应用程序:
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private PasswordEncoder passwordEncoder;
@Autowired
@Qualifier("customUserDetailsService")
UserDetailsService userDetailsService;
@Autowired
DataSource dataSource;
@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
auth.authenticationProvider(authenticationProvider());
}
@Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
authenticationProvider.setUserDetailsService(userDetailsService);
authenticationProvider.setPasswordEncoder(passwordEncoder);
return authenticationProvider;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
//.antMatchers("login.html","**").permitAll()
.antMatchers("/api/**").hasRole("ADMIN")
//.antMatchers("/api/**").authenticated()
.and().httpBasic().realmName(CustomBasicAuthenticationEntryPoint.REALM).authenticationEntryPoint(getBasicAuthEntryPoint())
.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.authorizeRequests().antMatchers("login*").permitAll().anyRequest().authenticated().and()
.formLogin().defaultSuccessUrl("/home.html",true).failureUrl("/login?login_error=1")/*.loginPage("/login.html").loginProcessingUrl("/login").defaultSuccessUrl("/hello.html",true).failureForwardUrl("/login.html")
.usernameParameter("username").passwordParameter("password")*/;
}
@Bean
public CustomBasicAuthenticationEntryPoint getBasicAuthEntryPoint(){
return new CustomBasicAuthenticationEntryPoint();
}
}
如果登录失败,则会看到Bad Credentials消息和带有查询参数的URL,并且在Chrome控制台中看到正确的登录名后,它会转到home.html,但重定向到302后会再次进入/ login 。所以...成功登录后,它要求再次登录。
我的错误在哪里?
谢谢!
编辑:
这是我的调试日志:
(CompositeSessionAuthenticationStrategy.java:87) - Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy@140bfb00
(AbstractAuthenticationProcessingFilter.java:312) - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@d823b1ed: Principal: org.springframework.security.core.userdetails.User@677d9ddb: Username: bar@foo.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: B2A4A0CE1260CE33BB9663E7C4F4D0A2; Granted Authorities: ROLE_ADMIN
(DefaultRedirectStrategy.java:54) - Redirecting to '/home.html'
(HstsHeaderWriter.java:129) - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@682780f8
(HttpSessionSecurityContextRepository.java:380) - SecurityContext 'org.springframework.security.core.context.SecurityContextImpl@d823b1ed: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@d823b1ed: Principal: org.springframework.security.core.userdetails.User@677d9ddb: Username: bar@foo.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: B2A4A0CE1260CE33BB9663E7C4F4D0A2; Granted Authorities: ROLE_ADMIN' stored to HttpSession: 'org.apache.catalina.session.StandardSessionFacade@2b36c88f
(SecurityContextPersistenceFilter.java:119) - SecurityContextHolder now cleared, as request processing completed
(FilterChainProxy.java:328) - /home.html at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
(FilterChainProxy.java:328) - /home.html at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
(HttpSessionSecurityContextRepository.java:210) - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@d823b1ed: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@d823b1ed: Principal: org.springframework.security.core.userdetails.User@677d9ddb: Username: bar@foo.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: B2A4A0CE1260CE33BB9663E7C4F4D0A2; Granted Authorities: ROLE_ADMIN'
(FilterChainProxy.java:328) - /home.html at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
(FilterChainProxy.java:328) - /home.html at position 4 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
(OrRequestMatcher.java:65) - Trying to match using Ant [pattern='/logout', GET]
(AntPathRequestMatcher.java:176) - Checking match of request : '/home.html'; against '/logout'
(OrRequestMatcher.java:65) - Trying to match using Ant [pattern='/logout', POST]
(AntPathRequestMatcher.java:156) - Request 'GET /home.html' doesn't match 'POST /logout'
(OrRequestMatcher.java:65) - Trying to match using Ant [pattern='/logout', PUT]
(AntPathRequestMatcher.java:156) - Request 'GET /home.html' doesn't match 'PUT /logout'
(OrRequestMatcher.java:65) - Trying to match using Ant [pattern='/logout', DELETE]
(AntPathRequestMatcher.java:156) - Request 'GET /home.html' doesn't match 'DELETE /logout'
(OrRequestMatcher.java:72) - No matches found
(FilterChainProxy.java:328) - /home.html at position 5 of 14 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
(AntPathRequestMatcher.java:156) - Request 'GET /home.html' doesn't match 'POST /login'
(FilterChainProxy.java:328) - /home.html at position 6 of 14 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter'
(FilterChainProxy.java:328) - /home.html at position 7 of 14 in additional filter chain; firing Filter: 'DefaultLogoutPageGeneratingFilter'
(AntPathRequestMatcher.java:176) - Checking match of request : '/home.html'; against '/logout'
(FilterChainProxy.java:328) - /home.html at position 8 of 14 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
(FilterChainProxy.java:328) - /home.html at position 9 of 14 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
(HttpSessionRequestCache.java:95) - saved request doesn't match
(FilterChainProxy.java:328) - /home.html at position 10 of 14 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
(FilterChainProxy.java:328) - /home.html at position 11 of 14 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
(AnonymousAuthenticationFilter.java:106) - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@d823b1ed: Principal: org.springframework.security.core.userdetails.User@677d9ddb: Username: bar@foo.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: B2A4A0CE1260CE33BB9663E7C4F4D0A2; Granted Authorities: ROLE_ADMIN'
(FilterChainProxy.java:328) - /home.html at position 12 of 14 in additional filter chain; firing Filter: 'SessionManagementFilter'
(FilterChainProxy.java:328) - /home.html at position 13 of 14 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
(FilterChainProxy.java:328) - /home.html at position 14 of 14 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
(AntPathRequestMatcher.java:176) - Checking match of request : '/home.html'; against '/api/**'
(AntPathRequestMatcher.java:176) - Checking match of request : '/home.html'; against 'login*'
(AbstractSecurityInterceptor.java:219) - Secure object: FilterInvocation: URL: /home.html; Attributes: [authenticated]
(AbstractSecurityInterceptor.java:348) - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@d823b1ed: Principal: org.springframework.security.core.userdetails.User@677d9ddb: Username: bar@foo.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: B2A4A0CE1260CE33BB9663E7C4F4D0A2; Granted Authorities: ROLE_ADMIN
(AffirmativeBased.java:66) - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@4098e795, returned: 1
(AbstractSecurityInterceptor.java:243) - Authorization successful
(AbstractSecurityInterceptor.java:256) - RunAsManager did not change Authentication object
(FilterChainProxy.java:313) - /home.html reached end of additional filter chain; proceeding with original chain
(HstsHeaderWriter.java:129) - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@682780f8
(ExceptionTranslationFilter.java:121) - Chain processed normally
(SecurityContextPersistenceFilter.java:119) - SecurityContextHolder now cleared, as request processing completed
(FilterChainProxy.java:328) - /login at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
(FilterChainProxy.java:328) - /login at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
(HttpSessionSecurityContextRepository.java:210) - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@d823b1ed: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@d823b1ed: Principal: org.springframework.security.core.userdetails.User@677d9ddb: Username: bar@foo.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: B2A4A0CE1260CE33BB9663E7C4F4D0A2; Granted Authorities: ROLE_ADMIN'
(FilterChainProxy.java:328) - /login at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
(FilterChainProxy.java:328) - /login at position 4 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
(OrRequestMatcher.java:65) - Trying to match using Ant [pattern='/logout', GET]
(AntPathRequestMatcher.java:176) - Checking match of request : '/login'; against '/logout'
(OrRequestMatcher.java:65) - Trying to match using Ant [pattern='/logout', POST]
(AntPathRequestMatcher.java:156) - Request 'GET /login' doesn't match 'POST /logout'
(OrRequestMatcher.java:65) - Trying to match using Ant [pattern='/logout', PUT]
(AntPathRequestMatcher.java:156) - Request 'GET /login' doesn't match 'PUT /logout'
(OrRequestMatcher.java:65) - Trying to match using Ant [pattern='/logout', DELETE]
(AntPathRequestMatcher.java:156) - Request 'GET /login' doesn't match 'DELETE /logout'
(OrRequestMatcher.java:72) - No matches found
(FilterChainProxy.java:328) - /login at position 5 of 14 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
(AntPathRequestMatcher.java:156) - Request 'GET /login' doesn't match 'POST /login'
(FilterChainProxy.java:328) - /login at position 6 of 14 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter'
(HstsHeaderWriter.java:129) - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@682780f8
(SecurityContextPersistenceFilter.java:119) - SecurityContextHolder now cleared, as request processing completed
答案 0 :(得分:0)
您没有将应用程序配置为可通过身份验证的用户访问home.html。因此,您必须添加这样的内容(我只熟悉基于xml的配置):
http.authorizeRequests().antMatchers("/home.html").fullyAuthenticated();
另请参阅:https://www.baeldung.com/security-none-filters-none-access-permitAll和https://www.baeldung.com/spring-security-expressions