我的Spring Security xwl配置不正确,我想帮助弄清楚它是什么。打开网站后,可以按预期访问页面/。尝试访问像/user/重定向到/login,正如预期的那样。但是,不正确的登录信息允许成功,并且用户被定向到/user/files 的页面内容。奇怪的是网址仍然是/login。此外,任何尝试转到另一个/user/* 页面都会导致重定向到登录页面。
但是,是的,我无法弄清楚我一生的问题,任何帮助都值得赞赏。我将包括我的 Web 应用程序的所有相关部分,以防它不是我的 spring-security.xml 文件。
这是我网站的相关部分.xml:
<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-security.xml
/WEB-INF/spring-servlet.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/user/*</url-pattern>
</filter-mapping>
<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
还有我的弹簧安全.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<bean id="authenticator" class="com.company.web.security.CompanyUserDetailsService" />
<security:global-method-security secured-annotations="enabled" />
<security:http auto-config="true">
<security:intercept-url pattern="/user/*" access="ROLE_USER"/>
<security:access-denied-handler error-page="/error/403"/>
<security:form-login login-page="/login"
authentication-failure-url="/login?error"
default-target-url="/user/files"
always-use-default-target='false'/>
<security:logout logout-success-url="/login?logout" invalidate-session="true"/>
<security:session-management>
<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="false" />
</security:session-management>
<security:remember-me />
</security:http>
<security:authentication-manager>
<security:authentication-provider user-service-ref="authenticator" />
</security:authentication-manager>
</beans>
如您所知,我编写了一个用户详细信息服务,用于查询数据库并返回一个 User 对象。
public class CompanyUserDetailsService implements UserDetailsService {
private TitanController titan = TitanController.getInstance();
@Override
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException{
return new CompanyUserDetails(this.titan.getUserFromEmail(username));
}
}
以下是返回用户的 DAO 逻辑:
UserDetails userDetails;
Collection<SimpleGrantedAuthority> authorities = new ArrayList<SimpleGrantedAuthority>();
if (dbUser != null){
authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
userDetails = new User(dbUser.getEmail(), dbUser.getPassword(), authorities);
} else {
userDetails = new User(null, null, authorities);
}
return userDetails;
登录页面控制器非常简单:
@Controller
@RequestMapping(value="/login")
public class LoginController {
TitanController titan = TitanController.getInstance();
@RequestMapping(method=RequestMethod.GET)
public String getLogin(Model model) {
return "login";
}
@RequestMapping(method=RequestMethod.POST)
public String postLogin(){
return "files";
}
}
最后,这是登录名.jsp
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:th="http://www.thymeleaf.org"
th:include="components/layout :: loggedout">
<div th:fragment="content">
<div class="col-lg-4 col-md-4 col-sm-3 col-xs-2"></div>
<div class="col-lg-4 col-md-4 col-sm-6 col-xs-8">
<form name="f" th:action="@{/login}" method="post">
<fieldset>
<legend>
<h2 class="form-signin-heading">log in</h2>
</legend>
<div th:if="${param.error}" class="alert alert-error text-center">
Invalid username or password.
</div>
<div th:if="${param.logout}" class="alert alert-success text-center">
You have been logged out.
</div>
<label for="username" class="sr-only">email address</label>
<input name="username" type="email" class="form-control" placeholder="email address" required="true" autofocus="true" />
<label for="password" class="sr-only">password</label>
<input name="password" type="password" class="form-control" placeholder="password" required="true" />
<div class="checkbox">
<label>
<input type="checkbox" value="remember-me"> remember me </input>
</label>
</div>
<div class="form-actions">
<button class="btn btn-lg btn-primary btn-block">log in</button>
</div>
</fieldset>
</form>
</div>
<div class="col-lg-4 col-md-4 col-sm-3 col-xs-2"></div>
</div>
</html>
任何帮助将不胜感激,如果您有任何问题,请询问。
幸运的是,评论指出了正确的方向 - 这实际上同时是两个不同的问题。
发布操作由我的登录控制器处理,而不是 Spring 安全性。所以,我删除了发布方法。此外,帖子没有被正确调用或传递正确的参数 - 所以我将操作更改为 th:action="@{/j_spring_security_check}",并将输入更改为 j_username 和 j_password。谢谢@PatrickLC和@M.Deinum。