I'm new to SpringSecurity.
This my Spring-security-Context.xml file
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http auto-config="true" path-type="ant">
<form-login login-page="/jack/login" authentication-failure-url="/jack/login" default-target-url="/jack/home" />
<intercept-url pattern="/themes/**" access="IS_AUTHENTICATED_ANONYMOUSLY" filters="none" />
<intercept-url pattern="/js/**" access="IS_AUTHENTICATED_ANONYMOUSLY" filters="none" />
<intercept-url pattern="/jack/images/**" access="IS_AUTHENTICATED_ANONYMOUSLY" filters="none" />
<intercept-url pattern="/jack/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" filters="none" />
<intercept-url pattern="/jack/**/*.png" access="IS_AUTHENTICATED_ANONYMOUSLY" filters="none" />
<intercept-url pattern="/jack/**/*.jpg" access="IS_AUTHENTICATED_ANONYMOUSLY" filters="none" />
<intercept-url pattern="/jack/upload-users" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/jack/login" access="IS_AUTHENTICATED_ANONYMOUSLY" filters="none" />
<intercept-url pattern="/jack/logincheck" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/jack/logout" access="IS_AUTHENTICATED_ANONYMOUSLY" filters="none"/>
<intercept-url pattern="/jack/sessionExpire" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/jack/**" access="IS_AUTHENTICATED_REMEMBERED" />
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:logout logout-url="/jack/logout"
logout-success-url="/jack/login" invalidate-session="true" />
<session-management invalid-session-url="/jack/logout" >
<concurrency-control max-sessions="1" error-if-maximum-exceeded="false" expired-url="/jack/logout"/>
</session-management>
<security:custom-filter ref="expiredSessionFilter" after="REMEMBER_ME_FILTER"/>
</http>
<beans:bean id="expiredSessionFilter" class="com.jack.web.filter.ExpiredSessionFilter">
</beans:bean>
<!-- Authentication providers -->
<beans:bean id="customAuthenticationProvider" class="com.jack.security.provider.CustomAuthenticationProvider" >
<!-- <security:custom-authentication-provider /> -->
<!-- <beans:property name="userDetailsService" ref="userDetailsService"/> -->
</beans:bean>
<authentication-manager>
<authentication-provider ref="customAuthenticationProvider" />
</authentication-manager>
</beans:beans>
case 1: in web.xml
jack is the springcontext name
in security-context.xml
jack is the pattern like /jack/login
when i give URL like
localhost:8080/project/jack/login
this spring security works very well
case 2: in web.xml
xxx is the springcontext name
in security-context.xml jack is the pattern like /jack/login
i'm not change anything in securitycontext.xml
When I give
localhost:8080/project/xxx/login
spring security allows the user to enter into my application.
after logout, if user copy - paste's the home page url means spring security not redirecting the user into login page.
How can i redirect the user to spring login page or is there any other option i have?
Try using project in intercept-url pattern and instead of jack use ** there and then rest of the url you want to restrict.
Eg. Instead /jack/upload-users
use /project/**/upload-users
.
And also note that IS_AUTHENTICATED_ANONYMOUSLY is used to allow access to user even if he's not authenticated in application.
Hope this helps you. Cheers.
Currently you are per default allowing access to all URL by using
`<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />`
So you need to Blacklist every URL you want to protect. Spring security is checking the patterns in the order listed in the configuration. The first matching pattern is applied without any further checking. So if no pattern matches the pattern="/**"
will be applied granting anyone access.
Better practice would be to deny access by default this means setting the access for pattern="/**"
to the most permissiv role you have or at least to require authentication (for example using access="isAuthenticated()"
) This way you are using a whitelist approach and don't have to worry to much about missing url-patterns.
Update
To comment on the logout problem. You redirect to a custom logout-url
. What is beyond that url? The spring security logout routine is called via /j_spring_security_logout
which is the default if you don't call a logout-url
otherwise you should call /j_spring_security_logout
in your custom logout routine.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.