如何在Spring Security 4中禁用UsernamePasswordAuthenticationFilter
[英]How to disable the UsernamePasswordAuthenticationFilter in Spring Security 4
问题描述
I'm migrating a JSF application from Spring Security 3.2 to 4.0.1. 
我正在将JSF应用程序从Spring Security 3.2迁移到4.0.1。 This version changes many default urls, for example the default login url to /login . 此版本将许多默认URL更改,例如将默认登录URL更改为/login 。
The application has its own login page (using JSF AJAX) and it is still displayed when calling /login , but all POST-Requests to this URL (and so all AJAX-Requests from the Login-Page) are captured by the UsernamePasswordAuthenticationFilter and that is trying to process the authentication, causing the request to get redirected to the loginform again. 该应用程序具有自己的登录页面(使用JSF AJAX),并且在调用/login时仍会显示,但是对该URL的所有POST请求(以及来自Login-Page的所有AJAX请求)都由UsernamePasswordAuthenticationFilter捕获,并且正在尝试处理身份验证,导致请求再次重定向到loginform。
After looking at the code this url seems to be hard-coded: 在查看代码之后,该网址似乎是硬编码的:
public UsernamePasswordAuthenticationFilter() {
super(new AntPathRequestMatcher("/login", "POST"));
}
So I have to disable this filter completely, or better, avoid it's creation. 因此,我必须完全禁用此过滤器,或者更好的方法是避免创建它。 Can anybody point me how I can do it. 谁能指出我该怎么做。
Changing my login page to another url is working, but is not the nice solution. 将我的登录页面更改为另一个URL是可行的,但不是很好的解决方案。
EDIT: I have created a Bugticket in Spring Security for this: https://jira.spring.io/browse/SEC-2992 编辑:我为此在Spring Security中创建了一个Bugticket: https ://jira.spring.io/browse/SEC-2992
EDIT 2: I've found another workaround: If I set the login-processing-url for the form-login to something unused it is working, but seems to be very hacky. 编辑2:我发现了另一个解决方法:如果我将表单登录的login-processing-url设置为未使用的内容,则它可以正常工作,但是似乎很hacky。 There should be a way to disable it completely. 应该有一种方法可以完全禁用它。 Also it should be stated in the migration guide, I lost hours until I found this. 另外,应在《迁移指南》中说明,直到发现这一点,我才花费了数小时。
2 个解决方案
解决方案1
2 2015-05-21 03:27:54
I am going to assume that you are trying to upgrade to Spring Security 4.0.0 (the latest available version is 4.0.1). 我将假设您正在尝试升级到Spring Security 4.0.0(最新的可用版本是4.0.1)。
Spring Security 3.x used spring_security_login as the default login URL ( source : official documentation ). Spring Security 3.x使用spring_security_login作为默认登录URL( source : 官方文档 )。 This could be set to a custom value as <security:form-login login-page="/login"> and mapped to a controller to render a custom page. 可以将其设置为<security:form-login login-page="/login">的自定义值,并将其映射到控制器以呈现自定义页面。
Spring Security 4.x has abandoned spring_security_login and switched to login as the default login URL ( source : official Spring Security 4.x migration guide ). 春季安全4.x版已经放弃spring_security_login并切换到login为默认的登录URL( source : 官方的Spring Security 4.x的迁移指南 )。 Therefore, the URL login now goes to the default Spring Security infrastructure, that displays the default, auto-generated login page. 因此,URL login现在转到默认的Spring Security基础结构,该基础结构显示默认的自动生成的登录页面。
There was a bug in 4.0.0 due to which the default infrastructure was still getting used in cases where the URL /login was manually mapped to a custom controller method. 4.0.0中存在一个错误,由于该错误,在将URL /login手动映射到自定义控制器方法的情况下,仍使用默认基础结构。 This bug has been fixed in 4.0.1. 此错误已在4.0.1中修复。 Do try upgrading to Spring Security 4.0.1 to see if you can use /login as the login URL. 请尝试升级到Spring Security 4.0.1,以查看是否可以使用/login作为登录URL。
解决方案2
0 2015-05-20 16:24:19
看来您可以调用setFilterProcessesUrl(String) (或等效地, setRequiresAuthenticationRequestMatcher(RequestMatcher) )来覆盖/login的默认值。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.