小贝子编程

Spring 安全性用户详细信息未调用服务



我正在使用迁移指南从 Spring Security 3.2.5 升级到 4.0.4。

我的UserDetailsService如下所示:

package com.me.security;
import org.springframework.security.core.userdetails.UserDetailsService;
public class Users implements UserDetailsService {
    public Users() {
        System.err.println("USERS CONSTRUCTOR");
    }
    @Override
    public UserDetail loadUserByUsername(String name) {
        System.err.println("LOAD BY USER NAME " + name);
        throw new UsernameNotFoundException("User not found.");
    }
}

我的WEB-INF/applicationContext.xml是这样的:

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="
        http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-4.0.xsd">
    <security:http disable-url-rewriting="true" use-expressions="false">
        <security:intercept-url pattern="/auth/**" access="ROLE_ANONYMOUS"/>
        <security:intercept-url pattern="/dashboard/**" access="ROLE_ADMIN,ROLE_USER"/>
        <!-- ...more intercept-urls... -->
        <security:access-denied-handler error-page="/pages/general/403.xhtml"/>
        <security:form-login login-page="/auth/login.html"
            username-parameter="j_username"
            password-parameter="j_password"
            login-processing-url="/j_spring_security_check"
            default-target-url="/dashboard/"
            authentication-failure-url="/auth/error.html"/>
        <security:logout logout-success-url="/auth/login.html"
            logout-url="/auth/login.html"
            delete-cookies="JSESSIONID"
            invalidate-session="true" />
        <security:session-management invalid-session-url="/auth/login.html"/>
    </security:http>
    <security:authentication-manager>
        <security:authentication-provider user-service-ref='userDetailsService'/>
    </security:authentication-manager>
    <bean id="userDetailsService" class="com.me.security.Users"/>
</beans>

当我尝试登录时,我的代码没有被调用。我确实在服务器日志中看到来自 Users 构造函数的消息,但没有看到来自其 loadUserByUsername 方法的消息。

相反,无论我输入什么用户名和密码,我都会进入我的 403 错误页面。

(也许我已经看了太久了...

为什么 Spring 不调用我的 UserDetailsService,我需要什么才能让它工作?

听起来是csrf过滤器。在 Spring 安全性 4.x 中,默认情况下它处于激活状态:从 Spring 安全性 3.x 迁移到 4.x。如果您一直获得HTTP 403,这可能是问题。

尝试在 security:http 元素中禁用此设置:

<csrf disabled="true"/>

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium