堆栈内存溢出
  繁体   English   中英

Spring Security 用户身份验证不起作用

[英]Spring Security user authentication not working

 原文  2016-01-13 21:25:57       java/ spring/ spring-mvc/ authentication/ spring-security

问题描述

我正在尝试使用 spring 安全性实现身份验证。

我无法弄清楚我做错了什么。

web.xml 有一个安全过滤器:

<!-- Spring Security -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

spring-security.xml 具有定义的 url 拦截和身份验证管理器:

    <beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-4.0.xsd">

    <!-- enable use-expressions -->
    <http auto-config="true" use-expressions="true">
        <intercept-url pattern="/" access="permitAll" />
        <intercept-url pattern="/logout**" access="permitAll" />

        <!-- Incoming Product -->
        <intercept-url pattern="/incomingProduct**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />

        <!-- Maintanence pages -->
        <intercept-url pattern="/depotUser**" access="hasRole('Administrator') and hasRole('Local_Administrator')" />
        <intercept-url pattern="/product**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
        <intercept-url pattern="/productOwner**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
        <intercept-url pattern="/storageTank**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />

        <intercept-url pattern="/admin**" access="hasRole('Administrator')" />

        <!-- access denied page -->
        <access-denied-handler error-page="/error/403" />
        <form-login 
            login-page="/" 
            default-target-url="/"
            authentication-failure-url="/Access_Denied" 
            username-parameter="username"
            password-parameter="password" />
        <logout logout-success-url="/logout" />
        <!-- enable csrf protection -->
        <csrf />
    </http>

    <authentication-manager>
        <authentication-provider user-service-ref="userSecurityService" />
    </authentication-manager>

    <beans:bean id="userSecurityService" class="com.tms.securityServices.UserSecurityService" >
        <beans:property name="depotUserDao" ref="depotUserDao" />
    </beans:bean> 

</beans:beans>

UserSecurityService 实现了 UserDetailsS​​ervice。 根据 spring-security.xml 中的配置,应该调用它来验证登录请求并将用户注入会话。 (如果我错了,请纠正我!)

@Transactional
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException
{
    DepotUser user = depotUserDao.findByUserName(username);
    System.out.println("User : " + user);
    if (user == null)
    {
        System.out.println("User not found");
        throw new UsernameNotFoundException("Username not found");
    }
    return new org.springframework.security.core.userdetails.User(user.getUsername(), user.getPassword(), user.isActive(), true, true, true,
            getGrantedAuthorities(user));
}

private List<GrantedAuthority> getGrantedAuthorities(DepotUser user)
{
    List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();

    for (DepotUserRole userProfile : user.getUserRole())
    {
        System.out.println("UserProfile : " + userProfile);
        authorities.add(new SimpleGrantedAuthority("ROLE_" + userProfile.getRole()));
    }

    System.out.print("authorities :" + authorities);
    return authorities;
}

处理请求的登录控制器:

    @RequestMapping(value = { "/loginRequest" }, method = RequestMethod.POST)
public String loginRequest(@RequestParam String username, @RequestParam String password, HttpServletRequest request, HttpServletResponse response)
        {
            DepotUser user = depotUserManager.getUserByUsernamePassword(username, password);

            if (user != null)
            {
                request.setAttribute("firstName", user.getFirstName());
                request.setAttribute("lastName", user.getLastName());
                request.setAttribute("username", user.getUsername());
                request.setAttribute("userRoles", user.getUserRole());
                return "homePage";
            }

发生的情况是,当我登录时,用户使用匿名 User 登录。

由于我没有到达 UserSecurityService 中的断点,因此不会触发身份验证。 也不在处理请求的弹簧控制器中。

谁能帮我吗?

任何帮助表示赞赏。

谢谢,

5 个解决方案

解决方案1
 1  2016-01-13 21:39:19

有不止一个细节看起来不对

在配置中,在登录部分:

<form-login 
        login-page="/" 
        default-target-url="/"
        authentication-failure-url="/Access_Denied" 
        username-parameter="username"
        password-parameter="password" />

通过指定login-page="/" ,这意味着用于执行身份验证的带有表单数据的 POST 请求必须发送到"/" url,但是您尝试在控制器中的"/loginRequest"处处理身份验证。

其次,处理身份验证不是您必须在控制器中自己管理的事情,spring security 会自动为您处理,只需将表单 POST 到配置中指定的 url。

更新

至于登录表单,您应该确保以下事项:

  • 表单操作 url 与配置中的login-page参数匹配,在本例中为"/"
  • 在您的情况下,用户名的输入字段名称属性应与配置"username"中的username-parameter匹配
  • 密码输入字段名称属性应与配置中的password-parameter匹配,在您的情况下为"password"

您还应该删除modelAttribute="loginUser"

解决方案2
 0  2016-01-13 22:49:30

您的登录表单是什么样的? 你有

(百里香叶)

<form th:action="@{/j_spring_security_check}" method="post">

(jsp)

<form action="<c:url value='j_spring_security_check' />" method='POST'>

其中之一? 你能展示你的观点吗?

解决方案3
 0  2016-01-14 17:36:56

@JacekWcislo,@saljuama 我有一个login-page="/"因为我的默认登录页面是登录页面。 我添加作为答案,因为我想显示更新的代码。

在阅读了提供的建议和链接后,我更新了我的安全 xml,如下所示:

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-4.0.xsd">

    <!-- enable use-expressions -->
    <http auto-config="true" use-expressions="true" entry-point-ref="authenticationEntryPoint">
        <intercept-url pattern="/" access="permitAll" />
        <intercept-url pattern="/logout**" access="permitAll" />

        <!-- Incoming Product -->
        <intercept-url pattern="/incomingProduct**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />

        <!-- Maintanence pages -->
        <intercept-url pattern="/depotUser**" access="hasRole('Administrator') and hasRole('Local_Administrator')" />
        <intercept-url pattern="/product**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
        <intercept-url pattern="/productOwner**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
        <intercept-url pattern="/storageTank**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />

        <intercept-url pattern="/admin**" access="hasRole('Administrator')" />

        <!-- access denied page -->
        <access-denied-handler error-page="/error/403" />
        <form-login 
            login-page="/"
            default-target-url="/homePage"
            authentication-failure-url="/loginPage?invalidLogin=Yes" 
            username-parameter="username"
            password-parameter="password"  

            />
        <logout logout-success-url="/logout" />
        <!-- enable csrf protection -->
        <csrf />

        <custom-filter before="FORM_LOGIN_FILTER" ref="authenticationFilter"/>
    </http>

    <beans:bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
        <beans:property name="authenticationManager" ref="authenticationManager" />
    </beans:bean> 

    <beans:bean id="authenticationEntryPoint" class= "org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <beans:constructor-arg value="/j_spring_security_check"/>
    </beans:bean> 

    <authentication-manager alias="authenticationManager">
        <authentication-provider user-service-ref="userSecurityService" />
    </authentication-manager>

    <beans:bean id="userSecurityService" class="com.tms.securityServices.UserSecurityService" >
        <beans:property name="depotUserDao" ref="depotUserDao" />
    </beans:bean> 

</beans:beans>

我的任何登录jsp是

<form id="loginForm" method="post" modelAttribute="loginUser" action="<c:url value='j_spring_security_check' />">

它给了我一个 404 错误。 我想我将不得不映射 spring 安全 url 。

我有它在我的

身份验证入口点

还有其他地方我必须映射吗?

解决方案4
 0  2016-01-18 20:47:12

我能够通过添加适当的过滤器、入口点和处理程序来解决这个问题。

代码 :

<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true" entry-point-ref="authenticationEntryPoint">

    <!-- Dashboard & resources -->
    <intercept-url pattern="/" access="permitAll" />
    <intercept-url pattern="/loginRequest**" access="permitAll" />
    <intercept-url pattern="/logout**" access="permitAll" />
    <intercept-url pattern="/dashboard**" access="permitAll" />
    <intercept-url pattern="/**/resources**" access="permitAll" />

    <!-- Incoming Product -->
    <intercept-url pattern="/incomingProduct**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />

    <!-- Maintanence pages -->
    <intercept-url pattern="/depotUser**" access="hasRole('Administrator') and hasRole('Local_Administrator')" />
    <intercept-url pattern="/product**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
    <intercept-url pattern="/productOwner**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
    <intercept-url pattern="/storageTank**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />

    <intercept-url pattern="/admin**" access="hasRole('Administrator')" />

    <!-- access denied page -->
    <access-denied-handler error-page="/error/403" />
    <form-login 
        login-page="/"
        login-processing-url="/loginRequest"
        default-target-url="/dashboard/home"
        authentication-failure-url="/loginPage?invalidLogin=Yes" 
        username-parameter="username"
        password-parameter="password"  
        />
    <logout logout-success-url="/logout" />
    <!-- enable csrf protection -->
    <csrf />

    <custom-filter before="FORM_LOGIN_FILTER" ref="authenticationFilter"/>
</http>

<beans:bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
    <beans:property name="authenticationManager" ref="authenticationManager" />
    <beans:property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
</beans:bean> 

<beans:bean id="authenticationEntryPoint" class= "org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <beans:constructor-arg value="/loginRequest"/>
</beans:bean> 

<beans:bean id="authenticationSuccessHandler"
    class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
    <beans:property name="defaultTargetUrl" value="/dashboard/home" />
</beans:bean>

<authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="userSecurityService" />
</authentication-manager>

解决方案5
 -1  2020-07-03 02:31:54

在 Spring security 中,如果要使用 method = RequestMethod.POST,则必须禁用 csrf <csrf disabled="true"/> 因为数据将被编码。 例子:

<http auto-config="true">
    <intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
    
    <form-login login-page="/login"
        login-processing-url="/j_spring_security_login"
        default-target-url="/process-after-login" authentication-failure-url="/login?error"
        username-parameter="email" password-parameter="password" />

    <logout logout-url="/j_spring_security_logout"
        logout-success-url="/logout" delete-cookies="JSESSIONID" />
    <csrf disabled="true"/>
</http>

<authentication-manager>
    <authentication-provider user-service-ref="clientService">
        <password-encoder hash="bcrypt" />
    </authentication-provider>
</authentication-manager>

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Spring 用户安全认证 spring安全认证无效 如果其他用户已登录,则预身份验证不起作用 - Spring安全性 Spring 安全在 memory 身份验证不起作用 Spring Security自定义身份验证不起作用 SpringMVC Websockets使用Spring Security进行消息传递用户身份验证 Spring Security ProviderNotFoundException when user authentication failed 通过数据库与自定义用户进行Spring安全认证 Spring Security JDBC 认证登录用户错误 Spring Security ActiveDirectory 用户身份验证问题
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM