具有XML配置的Spring Security无法验证用户

Question

I have a website section (everything under /secure URL) that I'm trying to secure with Spring Security 3.2.5. I'm using the following XML configuration:

<http use-expressions="true">
    <intercept-url pattern="/secure/login" access="permitAll" />
    <intercept-url pattern="/secure/**" access="isAuthenticated()" />
    <form-login default-target-url="/secure/home" always-use-default-target="true" login-page="/secure/login" />
</http>

<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="user" password="password" authorities="ROLE_SECURE" />
        </user-service>
    </authentication-provider>
</authentication-manager>

I'm trying to use a custom login form for which I have this controller:

@Controller
@RequestMapping(value = "/secure")
public class LoginController {
    @RequestMapping(value = "/login", method = RequestMethod.GET)
    public String getLogin() {
        return "secure/login";
    }

    @RequestMapping(value = "/home", method = RequestMethod.GET)
    public String getHome() {
        return "secure/home";
    }
}

and this code inside the login page:

<form method="POST" action="<c:url value="/secure/login" />">
    username: <input type="text" name="username" /><br/>
    password: <input type="password" name="password" /><br/>
    <input type="submit" value="Login" />
</form>

I have the security context loaded in the web.xml using ContextLoaderListener and the springSecurityFilterChain delegating proxy filter is also setup.

When I try to access the /secure URL I get redirected to /secure/login , my controller is called in the getLogin method and I see my login page. That's all OK.

Now my problem: whatever I submit in the login form gets sent directly to the LoginController and I get an exception saying that POST is not a supported method, which makes sense because there is no POST handler in the controller.

If I add a method like this in the controller:

@RequestMapping(value = "/login", method = RequestMethod.POST)
public String postLogin() {
    return "redirect:/secure/home";
}

I no longer get the error but my postLogin method is invoked wich sends me to /secure/home unauthenticated which then redirects me to /secure/login and I'm back to square one.

I don't know what I'm doing wrong. All examples I see online are Java configured which I prefer not to use and all workflows hapen in the context of the application not under some extra URL path (in my case /secure ).

What am I missing?

Answer 1

Form the docs( http://docs.spring.io/spring-security/site/docs/3.0.x/reference/appendix-namespace.html ):

default-target-url :

Maps to the defaultTargetUrl property of UsernamePasswordAuthenticationFilter. If not set, the default value is "/" (the application root). A user will be taken to this URL after logging in, provided they were not asked to login while attempting to access a secured resource, when they will be taken to the originally requested URL.

You have to submit the form to j_spring_security_check

<form name='loginForm'
          action="<c:url value='j_spring_security_check' />" method='POST'>

This will be handled by Spring Security and will check the user and pass depending on your config. See this example http://www.mkyong.com/spring-security/spring-security-form-login-example/

Edit: j_security_check should also be supported.

Answer 2

这篇文章帮助我获得了正确的结果： http : //codehustler.org/blog/spring-security-tutorial-form-login/