我已经将我的Spring应用程序配置为使用/authenticateurl对登录进行身份验证,但每次尝试登录时都会引发以下错误:
org.springframework.web.servlet.DispatcherServlet.noHandlerFound No mapping for POST /authenticate
我很困惑,因为据我所知,loginProcessingUrl应该允许Spring在后台处理身份验证,而不需要我提供URL。
下面是我的SecurityConfig类
package com.eyanu.tournamentproject.config;
import com.myProject.tournamentproject.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserService userService;
@Bean
public BCryptPasswordEncoder encoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/", "/register**","/*.css", "/tournament**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/authenticate")
.permitAll()
.and()
.logout().permitAll();
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/resources/**", "/static/**", "/static/css/**", "/js/**", "/images/**","/vendor/**","/fonts/**").anyRequest();
}
@Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
authenticationProvider.setPasswordEncoder(encoder());
authenticationProvider.setUserDetailsService(userService);
return authenticationProvider;
}
}
&尝试提交登录凭据的表单
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<title>Login</title>
</head>
<body>
<form:form action="${pageContext.request.contextPath}/authenticate" method="POST">
<p>
Username: <input type="text" name="username">
</p>
<p>
Password: <input type="password" name="password">
</p>
<input type="submit" value="Log in">
</form:form>
</body>
</html>
据我所见,问题出在这行代码中:
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/resources/**", "/static/**", "/static/css/**", "/js/**", "/images/**","/vendor/**","/fonts/**").anyRequest();
}
删除.anyRequest()
注意:Ignore是一个完全绕过Spring安全性的过滤器,相当于不采用Spring安全性
所以基本上,您在这里设置的web.ignoring().antMatchers(URLs)的URL请求将被Spring Security忽略,这意味着这些URL将容易受到CSRF、XSS、Clickjacking等的攻击。如果您添加.anyRequst(),那么所有请求都将被Spring安全忽略(包括"/authorize"),这就是为什么您会得到404