[英]Spring security. unbelievable behavior
I have very strange spring security behaviour. 我有非常奇怪的春季安全行为。
security configuration: 安全配置:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http use-expressions="true" >
<intercept-url pattern="/home.jsp" access="permitAll" />
<intercept-url pattern="/*" access="isAuthenticated()"/>
<form-login login-page="/"
authentication-failure-url="/loginFailed" default-target-url="/index" />
<logout logout-success-url="/logOut" />
</http>
<authentication-manager>
<authentication-provider ref="provider" />
</authentication-manager>
</beans:beans>
Controller: 控制器:
@Controller
public class HomeController {
@RequestMapping("/index")
public String success(Model model) {
System.out.println("/index");
return "index";
}
@RequestMapping(value="/loginFailed", method = RequestMethod.GET )
public String loginError(Model model, RedirectAttributes redirectAttributes ) throws Exception {
redirectAttributes.addAttribute("message", "incorrect combination of login and password");
System.out.println("/loginFailed");
return "redirect:home.jsp";
}
@RequestMapping(value="/logOut", method = RequestMethod.GET )
public String logOut(Model model, RedirectAttributes redirectAttributes) throws Exception {
redirectAttributes.addAttribute("message", "success logout");
System.out.println("/logOut");
return "redirect:home.jsp";
}
...
}
if on url http://localhost:8080/ui/
(root application url) I type 如果在url
http://localhost:8080/ui/
(根应用程序url)上输入
first activity: 第一次活动:
1 input correct password --> http://localhost:8080/ui/index
in log I see /index
isAuthenttificated() == true
1输入正确的密码->日志中的
http://localhost:8080/ui/index
我看到/index
isAuthenttificated() == true
2 press logOut --> http://localhost:8080/ui/
and log is empty isAuthenttificated() == false
2按logOut->
http://localhost:8080/ui/
,日志为空isAuthenttificated() == false
3 input correct password --> http://localhost:8080/ui/home.jsp?message=success+logout
and I see /logOut
in console isAuthenttificated() == true
3输入正确的密码->
http://localhost:8080/ui/home.jsp?message=success+logout
,我在控制台中看到/logOut
isAuthenttificated() == true
4 press logOut --> go to http://localhost:8080/ui/
and log is empty isAuthenttificated() == false
4按注销->转到
http://localhost:8080/ui/
,日志为空isAuthenttificated() == false
5 input correct password --> go to http://localhost:8080/ui/
and log is empty isAuthenttificated() == false
5输入正确的密码->转到
http://localhost:8080/ui/
,日志为空isAuthenttificated() == false
I don't understand rules what spring security select which controller to use. 我不了解规则,什么弹簧安全性选择使用哪个控制器。
I think spring invokes right servlets but use wrong urls. 我认为spring会调用正确的servlet,但使用错误的url。
What I noticed is that you probably forgot to add the following configuration 我注意到的是您可能忘记添加以下配置
<intercept-url pattern="/loginFailed" access="permitAll" />
<intercept-url pattern="/" access="permitAll" />
Or at least all pages which are related to login/error pages should usually be exempted from authentication. 或者至少通常应将与登录/错误页面相关的所有页面免于身份验证。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.