stackoom
  简体   繁体   中英

Spring-security /login redirecting

 原文  2015-04-16 16:46:24       java/ spring/ security/ spring-mvc/ spring-security

Question

pals. I'm using Spring-web, -mvc etc. version 4.1.x and spring-secure version 4.0.0 and I have strange issue.

I have LoginController.java with @RequestMapping("/login") returning "login", mapping to login.jsp. Also I have security-config.xml file with next settings 

<security:authentication-manager>
    <security:authentication-provider>
        <security:user-service>
            <security:user name="John" authorities="admin"
                           password="letmein" />
            <security:user name="Zog" authorities="admin"
                           password="iamzog" />
        </security:user-service>
    </security:authentication-provider>
</security:authentication-manager>

<security:http use-expressions="true">
    <security:csrf disabled="true"></security:csrf>
    <security:intercept-url pattern="/createoffer" access="isAuthenticated()" />
    <security:intercept-url pattern="/docreate" access="isAuthenticated()" />
    <security:intercept-url pattern="/offercreated" access="isAuthenticated()" />
    <security:intercept-url pattern="/" access="permitAll" />
    <security:intercept-url pattern="/login" access="permitAll" />
    <security:intercept-url pattern="/static/**" access="permitAll" />
    <security:intercept-url pattern="/offers" access="permitAll" />
    <security:intercept-url pattern="/**" access="denyAll" />

    <security:form-login login-page="/login"
                         login-processing-url="/login"
                         username-parameter="username"
                         password-parameter="password"
                         default-target-url="/"
                         authentication-failure-url="/login?error=true"/>
</security:http>

When I try to open /login spring shows default login form and my LoginController's method isn't execute. But when I enter wrong data in this login form, spring redirects me to /login?error=true and LoginController catches this and redirect to my login.jsp. So, spring catches /login before my controller, but pass /login?error=true to controller and my custom login form isn't working correctly.

My web.xml file looks like this 

    <?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
          http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
           version="3.0">

    <description>MySQL Test App</description>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            classpath:spring-security-config.xml
            classpath:dao-context.xml
            classpath:service-context.xml
        </param-value>
    </context-param>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>




    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <servlet>
        <servlet-name>offers</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>offers</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>


    <resource-ref>
        <description>DB Connection</description>
        <res-ref-name>jdbc/spring</res-ref-name>
        <res-type>javax.sql.DataSource</res-type>
        <res-auth>Container</res-auth>
    </resource-ref>

</web-app>

People from site with spring course asks same question, but the only answer were 'use spring-security 3.x.x'. I don't want to use 3x security, but want to understand where the magic of spring is broken. Thank you for advance.

1 answers

solution1
 1 ACCPTED  2015-04-16 17:09:32

This is a bug in Spring Security 4 and is logged as SEC-2919 . It will be fixed in Spring Security 4.0.1 which is due out next week.

Workarounds

Below are a few workarounds. You can remove the workaround once 4.0.1 is released (expected in about a week).

Use a Different URL

The easiest workaround is to use a URL other than "/login". For example, you can use "/authenticate". 

<http ...>
    <form-login login-page="/authenticate" ... />
</http>

Use a BeanPostProcessor

Alternatively, the following BeanDefinitionRegistryPostProcessor will fix the issue by removing the DefaultLoginPageGeneratingFilter . To use it simply ensure to register the BeanDefinitionRegistryPostProcessor as a Bean.

For example create a class that looks like the following: 

package sample;

import java.util.Iterator;
import java.util.List;

import org.springframework.beans.BeansException;
import org.springframework.beans.factory.config.BeanDefinition;
import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
import org.springframework.beans.factory.support.BeanDefinitionRegistry;
import org.springframework.beans.factory.support.BeanDefinitionRegistryPostProcessor;
import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;

public class Sec2919PostProcessor implements BeanDefinitionRegistryPostProcessor {
    @Override
    public void postProcessBeanDefinitionRegistry(BeanDefinitionRegistry registry)
            throws BeansException {
        String[] beanDefinitionNames = registry.getBeanDefinitionNames();
        for(String name : beanDefinitionNames) {
            BeanDefinition beanDefinition = registry.getBeanDefinition(name);
            if(beanDefinition.getBeanClassName().equals(DefaultSecurityFilterChain.class.getName())) {
                List<Object> filters = (List<Object>) beanDefinition.getConstructorArgumentValues().getArgumentValue(1, List.class).getValue();
                Iterator<Object> iFilters = filters.iterator();
                while(iFilters.hasNext()) {
                    Object f = iFilters.next();
                    if(f instanceof BeanDefinition) {
                        BeanDefinition bean = (BeanDefinition) f;
                        if(bean.getBeanClassName().equals(DefaultLoginPageGeneratingFilter.class.getName())) {
                            iFilters.remove();
                        }
                    }
                }
            }
        }
    }

    @Override
    public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory)
            throws BeansException {
    }
}

Then add the bean definition: 

<bean class="sample.Sec2919PostProcessor"/>

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Trouble with login using Spring-Security and redirecting to required URL Facebook login with spring-security spring-security login?logout redirects to login How to disable spring-security login screen? Mapping of /login in spring-security not found Spring, Spring-security : Spring-security returning 302, even if login failed Spring-Security : Username is sent empty for login after upgrade to Spring-Security 4.1 BadCredentialsException is spring-security Profile into spring-security Spring-Security : Accessing secured resources using cookie returned at login
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM