我的web应用程序使用spring安全性时出现问题,它有一个登录页面:
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%>
<%@ taglib prefix = "form" uri = "http://www.springframework.org/tags/form"%>
<%@ page isELIgnored="false"%>
........
<link rel="stylesheet" type="text/css" href="https://cdn.usebootstrap.com/bootstrap/4.4.1/css/bootstrap.min.css">
<link rel="stylesheet" type="text/css" href="resource/css/css-font-awesome.css">
<link rel="stylesheet" type="text/css" href="resource/css/css-util.css">
<link rel="stylesheet" type="text/css" href="resource/css/css-fonts.css">
<link rel="stylesheet" type="text/css" href="resource/css/css-custom.css">
<!--===============================================================================================-->
<meta name="robots" content="noindex, follow">
</head>
<body>
<c:if test="${not empty error}">
<div style="color: #ff0000;">Errore nel login controllare username / password</div>
</c:if>
<div class="container">
<div class="row">
<div class="form_login">
<form action="<c:url value="/performlogin"/>" method="post">
<div class="text-center"><img class="img-fluid" src="resource/images/images-logo-softpulizie.png"></div>
<hr>
<br>
<div class="form-group">
<input class="form-control" placeholder="Username" name="username" class="input form-control" id="userid" type="text">
</div>
<div class="form-group">
<input class="form-control" placeholder="Password" name="password" class="input form-control" id="pwd" type="password">
</div>
<div class="row">
<div class="col-8">
<span class="pt-2">Hai dimenticato la password?<br>
<a href="SOFTPULIZIE.html">Clicca qui</a></span>
</div>
<div class="col-4 align-right">
<button type="submit" class="btn btn-primary" id="login">Login</button>
</div>
</div>
</form>
</div>
</div>
</div>
<!--===============================================================================================-->
<script src="resource/js/3.2.1-jquery.min.js"></script>
<script src="resource/js/js-bootstrap.min.js"></script>
</body>
</html>
我的配置类允许加载url并转发到登录页面是:
@Configuration
@EnableWebSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private DataSource dataSource;
@Autowired
public void configAuthentication(AuthenticationManagerBuilder authBuilder) throws Exception {
authBuilder
.jdbcAuthentication()
.dataSource(dataSource)
.usersByUsernameQuery("SELECT username, password, enabled FROM Utenti WHERE username = ?")
.authoritiesByUsernameQuery("SELECT username, role FROM Utenti WHERE username = ?");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf()
.disable()
.authorizeRequests().anyRequest().hasAnyRole("USER","ADMIN")
.and()
.authorizeRequests().antMatchers("/login**").permitAll()
.and()
.authorizeRequests().antMatchers("/resource**").permitAll()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/performlogin")
.usernameParameter("username")
.passwordParameter("password")
.defaultSuccessUrl("/home", true)
.failureUrl("/login?error=true")
.permitAll()
.and()
.logout()
.logoutUrl("/perform_logout")
.deleteCookies("JSESSIONID")
.permitAll();
}
}
但是当加载登录页面时,它并没有加载所有的css、javascript和图像。对于登录后显示的其他页面,资源被正确加载。这些资源都放在我的maven项目的src/main/java下的resources文件夹下。
可能是什么问题?
感谢
我解决了这样更改授权的问题:
@Override
protected void configure(HttpSecurity http) throws Exception {
String[] staticResources = {
"/css/**",
"/scripts/**",
"/resource/images/images-logo-softpulizie.png"
};
http.csrf()
.disable()
.authorizeRequests()
.antMatchers(staticResources).permitAll()
.antMatchers("/login**").permitAll()
.antMatchers("/performlogin")
.hasAnyRole("USER", "ADMIN")
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/performlogin")
.usernameParameter("username")
.passwordParameter("password")
.defaultSuccessUrl("/home", true)
.failureUrl("/login?error=true")
.permitAll()
.and()
.logout()
.logoutUrl("/perform_logout")
.deleteCookies("JSESSIONID")
.permitAll();
}
尝试删除多个.authorizeRequests()...and()并压缩为:
.authorizeRequests(authorize -> authorize
.antMatchers("/login**", "/resource**").permitAll()
.anyRequest().hasAnyRole("USER","ADMIN")
}
...
秩序很重要。此外,您不希望多次调用.authorizeRequests()。
您可以在这里阅读更多关于实现这一点的最新方法(通过.authorizeHttpRequests(),它使用5.5中的新AuthorizationFilter(:使用AuthorizationFilter授权HttpServlet请求。
如果这不起作用,请随时更新问题,我们可以看看是否发生了其他事情。