[英]Spring Security with XML configuration does not authenticate user
I have a website section (everything under /secure
URL) that I'm trying to secure with Spring Security 3.2.5. 我有一个网站部分(
/secure
URL下的所有内容),我正在尝试使用Spring Security 3.2.5进行保护。 I'm using the following XML configuration: 我正在使用以下XML配置:
<http use-expressions="true">
<intercept-url pattern="/secure/login" access="permitAll" />
<intercept-url pattern="/secure/**" access="isAuthenticated()" />
<form-login default-target-url="/secure/home" always-use-default-target="true" login-page="/secure/login" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user" password="password" authorities="ROLE_SECURE" />
</user-service>
</authentication-provider>
</authentication-manager>
I'm trying to use a custom login form for which I have this controller: 我正在尝试使用具有此控制器的自定义登录表单:
@Controller
@RequestMapping(value = "/secure")
public class LoginController {
@RequestMapping(value = "/login", method = RequestMethod.GET)
public String getLogin() {
return "secure/login";
}
@RequestMapping(value = "/home", method = RequestMethod.GET)
public String getHome() {
return "secure/home";
}
}
and this code inside the login page: 以及登录页面中的以下代码:
<form method="POST" action="<c:url value="/secure/login" />">
username: <input type="text" name="username" /><br/>
password: <input type="password" name="password" /><br/>
<input type="submit" value="Login" />
</form>
I have the security context loaded in the web.xml
using ContextLoaderListener
and the springSecurityFilterChain
delegating proxy filter is also setup. 我已使用
ContextLoaderListener
在web.xml
中加载了安全上下文,并且还设置了springSecurityFilterChain
委派代理过滤器。
When I try to access the /secure
URL I get redirected to /secure/login
, my controller is called in the getLogin
method and I see my login page. 当我尝试访问
/secure
URL时,将重定向到/secure/login
,在getLogin
方法中调用了我的控制器,并看到了登录页面。 That's all OK. 没关系的
Now my problem: whatever I submit in the login form gets sent directly to the LoginController
and I get an exception saying that POST is not a supported method, which makes sense because there is no POST handler in the controller. 现在我的问题是:无论我在登录表单中提交的内容如何都直接发送到
LoginController
并且出现异常,说明POST不是受支持的方法,这很有意义,因为控制器中没有POST处理程序。
If I add a method like this in the controller: 如果我在控制器中添加这样的方法:
@RequestMapping(value = "/login", method = RequestMethod.POST)
public String postLogin() {
return "redirect:/secure/home";
}
I no longer get the error but my postLogin
method is invoked wich sends me to /secure/home
unauthenticated which then redirects me to /secure/login
and I'm back to square one. 我不再收到错误,但是我的
postLogin
方法被调用,这将我发送到/secure/home
未经身份验证,然后将我重定向到/secure/login
,我回到了平方。
I don't know what I'm doing wrong. 我不知道我在做什么错。 All examples I see online are Java configured which I prefer not to use and all workflows hapen in the context of the application not under some extra URL path (in my case
/secure
). 我在网上看到的所有示例都是Java配置的,我不希望使用Java,并且所有工作流都在应用程序上下文中暂停,而不是在某些额外的URL路径下(在我的情况下为
/secure
)。
What am I missing? 我想念什么?
Form the docs( http://docs.spring.io/spring-security/site/docs/3.0.x/reference/appendix-namespace.html ): 形成docs( http://docs.spring.io/spring-security/site/docs/3.0.x/reference/appendix-namespace.html ):
default-target-url : default-target-url :
Maps to the defaultTargetUrl property of UsernamePasswordAuthenticationFilter. 映射到UsernamePasswordAuthenticationFilter的defaultTargetUrl属性。 If not set, the default value is "/" (the application root).
如果未设置,则默认值为“ /”(应用程序根目录)。 A user will be taken to this URL after logging in, provided they were not asked to login while attempting to access a secured resource, when they will be taken to the originally requested URL.
如果将用户带到最初请求的URL,则在尝试访问受保护的资源时不要求用户登录后,将在登录后将其带到该URL。
You have to submit the form to j_spring_security_check
您必须将表单提交给
j_spring_security_check
<form name='loginForm'
action="<c:url value='j_spring_security_check' />" method='POST'>
This will be handled by Spring Security and will check the user and pass depending on your config. 这将由Spring Security处理,并将检查用户并根据您的配置通过。 See this example http://www.mkyong.com/spring-security/spring-security-form-login-example/
参见以下示例http://www.mkyong.com/spring-security/spring-security-form-login-example/
Edit: j_security_check
should also be supported. 编辑:
j_security_check
也应受支持。
这篇文章帮助我获得了正确的结果: http : //codehustler.org/blog/spring-security-tutorial-form-login/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.