[英]Spring Security user authentication not working
我正在尝试使用 spring 安全性实现身份验证。
我无法弄清楚我做错了什么。
web.xml 有一个安全过滤器:
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
spring-security.xml 具有定义的 url 拦截和身份验证管理器:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/logout**" access="permitAll" />
<!-- Incoming Product -->
<intercept-url pattern="/incomingProduct**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<!-- Maintanence pages -->
<intercept-url pattern="/depotUser**" access="hasRole('Administrator') and hasRole('Local_Administrator')" />
<intercept-url pattern="/product**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<intercept-url pattern="/productOwner**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<intercept-url pattern="/storageTank**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<intercept-url pattern="/admin**" access="hasRole('Administrator')" />
<!-- access denied page -->
<access-denied-handler error-page="/error/403" />
<form-login
login-page="/"
default-target-url="/"
authentication-failure-url="/Access_Denied"
username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/logout" />
<!-- enable csrf protection -->
<csrf />
</http>
<authentication-manager>
<authentication-provider user-service-ref="userSecurityService" />
</authentication-manager>
<beans:bean id="userSecurityService" class="com.tms.securityServices.UserSecurityService" >
<beans:property name="depotUserDao" ref="depotUserDao" />
</beans:bean>
</beans:beans>
UserSecurityService 实现了 UserDetailsService。 根据 spring-security.xml 中的配置,应该调用它来验证登录请求并将用户注入会话。 (如果我错了,请纠正我!)
@Transactional
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException
{
DepotUser user = depotUserDao.findByUserName(username);
System.out.println("User : " + user);
if (user == null)
{
System.out.println("User not found");
throw new UsernameNotFoundException("Username not found");
}
return new org.springframework.security.core.userdetails.User(user.getUsername(), user.getPassword(), user.isActive(), true, true, true,
getGrantedAuthorities(user));
}
private List<GrantedAuthority> getGrantedAuthorities(DepotUser user)
{
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
for (DepotUserRole userProfile : user.getUserRole())
{
System.out.println("UserProfile : " + userProfile);
authorities.add(new SimpleGrantedAuthority("ROLE_" + userProfile.getRole()));
}
System.out.print("authorities :" + authorities);
return authorities;
}
处理请求的登录控制器:
@RequestMapping(value = { "/loginRequest" }, method = RequestMethod.POST)
public String loginRequest(@RequestParam String username, @RequestParam String password, HttpServletRequest request, HttpServletResponse response)
{
DepotUser user = depotUserManager.getUserByUsernamePassword(username, password);
if (user != null)
{
request.setAttribute("firstName", user.getFirstName());
request.setAttribute("lastName", user.getLastName());
request.setAttribute("username", user.getUsername());
request.setAttribute("userRoles", user.getUserRole());
return "homePage";
}
发生的情况是,当我登录时,用户使用匿名 User 登录。
由于我没有到达 UserSecurityService 中的断点,因此不会触发身份验证。 也不在处理请求的弹簧控制器中。
谁能帮我吗?
任何帮助表示赞赏。
谢谢,
有不止一个细节看起来不对
在配置中,在登录部分:
<form-login
login-page="/"
default-target-url="/"
authentication-failure-url="/Access_Denied"
username-parameter="username"
password-parameter="password" />
通过指定login-page="/"
,这意味着用于执行身份验证的带有表单数据的 POST 请求必须发送到"/"
url,但是您尝试在控制器中的"/loginRequest"
处处理身份验证。
其次,处理身份验证不是您必须在控制器中自己管理的事情,spring security 会自动为您处理,只需将表单 POST 到配置中指定的 url。
更新:
至于登录表单,您应该确保以下事项:
login-page
参数匹配,在本例中为"/"
"username"
中的username-parameter
匹配password-parameter
匹配,在您的情况下为"password"
。 您还应该删除modelAttribute="loginUser"
您的登录表单是什么样的? 你有
(百里香叶)
<form th:action="@{/j_spring_security_check}" method="post">
(jsp)
<form action="<c:url value='j_spring_security_check' />" method='POST'>
其中之一? 你能展示你的观点吗?
@JacekWcislo,@saljuama 我有一个login-page="/"
因为我的默认登录页面是登录页面。 我添加作为答案,因为我想显示更新的代码。
在阅读了提供的建议和链接后,我更新了我的安全 xml,如下所示:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true" entry-point-ref="authenticationEntryPoint">
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/logout**" access="permitAll" />
<!-- Incoming Product -->
<intercept-url pattern="/incomingProduct**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<!-- Maintanence pages -->
<intercept-url pattern="/depotUser**" access="hasRole('Administrator') and hasRole('Local_Administrator')" />
<intercept-url pattern="/product**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<intercept-url pattern="/productOwner**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<intercept-url pattern="/storageTank**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<intercept-url pattern="/admin**" access="hasRole('Administrator')" />
<!-- access denied page -->
<access-denied-handler error-page="/error/403" />
<form-login
login-page="/"
default-target-url="/homePage"
authentication-failure-url="/loginPage?invalidLogin=Yes"
username-parameter="username"
password-parameter="password"
/>
<logout logout-success-url="/logout" />
<!-- enable csrf protection -->
<csrf />
<custom-filter before="FORM_LOGIN_FILTER" ref="authenticationFilter"/>
</http>
<beans:bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<beans:bean id="authenticationEntryPoint" class= "org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:constructor-arg value="/j_spring_security_check"/>
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userSecurityService" />
</authentication-manager>
<beans:bean id="userSecurityService" class="com.tms.securityServices.UserSecurityService" >
<beans:property name="depotUserDao" ref="depotUserDao" />
</beans:bean>
</beans:beans>
我的任何登录jsp是
<form id="loginForm" method="post" modelAttribute="loginUser" action="<c:url value='j_spring_security_check' />">
它给了我一个 404 错误。 我想我将不得不映射 spring 安全 url 。
我有它在我的
身份验证入口点
还有其他地方我必须映射吗?
我能够通过添加适当的过滤器、入口点和处理程序来解决这个问题。
代码 :
<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true" entry-point-ref="authenticationEntryPoint">
<!-- Dashboard & resources -->
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/loginRequest**" access="permitAll" />
<intercept-url pattern="/logout**" access="permitAll" />
<intercept-url pattern="/dashboard**" access="permitAll" />
<intercept-url pattern="/**/resources**" access="permitAll" />
<!-- Incoming Product -->
<intercept-url pattern="/incomingProduct**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<!-- Maintanence pages -->
<intercept-url pattern="/depotUser**" access="hasRole('Administrator') and hasRole('Local_Administrator')" />
<intercept-url pattern="/product**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<intercept-url pattern="/productOwner**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<intercept-url pattern="/storageTank**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<intercept-url pattern="/admin**" access="hasRole('Administrator')" />
<!-- access denied page -->
<access-denied-handler error-page="/error/403" />
<form-login
login-page="/"
login-processing-url="/loginRequest"
default-target-url="/dashboard/home"
authentication-failure-url="/loginPage?invalidLogin=Yes"
username-parameter="username"
password-parameter="password"
/>
<logout logout-success-url="/logout" />
<!-- enable csrf protection -->
<csrf />
<custom-filter before="FORM_LOGIN_FILTER" ref="authenticationFilter"/>
</http>
<beans:bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
</beans:bean>
<beans:bean id="authenticationEntryPoint" class= "org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:constructor-arg value="/loginRequest"/>
</beans:bean>
<beans:bean id="authenticationSuccessHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/dashboard/home" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userSecurityService" />
</authentication-manager>
在 Spring security 中,如果要使用 method = RequestMethod.POST,则必须禁用 csrf <csrf disabled="true"/>
。 因为数据将被编码。 例子:
<http auto-config="true">
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
<form-login login-page="/login"
login-processing-url="/j_spring_security_login"
default-target-url="/process-after-login" authentication-failure-url="/login?error"
username-parameter="email" password-parameter="password" />
<logout logout-url="/j_spring_security_logout"
logout-success-url="/logout" delete-cookies="JSESSIONID" />
<csrf disabled="true"/>
</http>
<authentication-manager>
<authentication-provider user-service-ref="clientService">
<password-encoder hash="bcrypt" />
</authentication-provider>
</authentication-manager>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.