[英]Spring Security: authentication page permitAll seems to be ignored
[英]Spring Security authentication is ignored
你好Stackoverflower,
我在Spring Security方面遇到了問題。 在繼續您的應用之前應該出現的登錄框不會出現,並且我無需任何身份驗證即可訪問我的應用。 我不知道為什么會這樣。 知道為什么不詢問用戶名和密碼,這一點非常重要。
我使用Firefox的RESTCLient Add on測試我的應用程序。
web.xml中的重要條目如下所示:
<!-- Security Configuration -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/</url-pattern>
</filter-mapping>
<!-- Spring Json Init -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>json</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>json</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
我的春季安全是:
<!-- Security Propertie Configuration -->
<security:http use-expressions="true">
<security:http-basic/>
</security:http>
<security:authentication-manager>
<security:authentication-provider
ref="springUserService" />
</security:authentication-manager>
springUserService看起來像這樣:
@Component公共類springUserService實現AuthenticationProvider {
@Override
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
String name = authentication.getName();
String password = authentication.getCredentials().toString();
List<GrantedAuthority> grantedAuths = new ArrayList<>();
return new UsernamePasswordAuthenticationToken(name, password, grantedAuths);
}
@Override
public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}
我非常感謝每一個提示或答案。
我認為您需要在Spring Security配置中添加一些攔截URL標記:
<security:intercept-url pattern="/securedUrl" access="isAuthenticated()" />
<security:intercept-url pattern="/login" access="permitAll" />
因此,以如下方式更改代碼:
<security:http use-expressions="true">
<security:intercept-url pattern="/securedUrl" access="isAuthenticated()" />
<security:intercept-url pattern="/login" access="permitAll" />
</security:http>
您還可以在模式屬性或自定義訪問評估中使用通配符 :
<intercept-url pattern="/url1/**" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')"/>
<intercept-url pattern="/url2/**" access="isAuthenticated()" />
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/**" access="permitAll" />
嘗試這個:
<security:http auto-config="true" use-expressions="true" path-type="regex">
<security:intercept-url pattern="/admin/.*" access="hasRole('ROLE_ADMIN')" />
<security:intercept-url pattern="/.*" access="isAuthenticated()" />
</security:http>
這是帶有說明的更詳細的示例:
<http auto-config="true" use-expressions="true" path-type="regex">
<form-login
password-parameter="password" -- password field name in your form
username-parameter="username" -- username field name in your form
login-processing-url="/security/j_spring_security_check" -- where your login form should submit to, no need to map this to anything, Spring Security handles it
login-page="/login" -- where you'll be taken to when not logged in
authentication-failure-url="/login?login_error=t" -- if your login fails, security will redirect you with login_error set to t
default-target-url="/router" -- if you want to route people based on roles, etc, you can map a controller ot this URL
always-use-default-target="false" -- this will send logged in users to your router URL
/>
<headers>
<xss-protection/> -- inserts header to prevent prevents cross site scripting
</headers>
<logout logout-url="/security/j_spring_security_logout" /> -- logout url, no need ot map it to anything, handled by Spring Security
<intercept-url pattern="/admin/.*" access="hasRole('ROLE_ADMIN')" /> -- security URLs by roles
<intercept-url pattern="/register" access="permitAll"/> -- let new users register by allowing everyone access to the registration page
<intercept-url pattern="/.*" access="isAuthenticated()" requires-channel="https" /> -- require users to be authenticated for the rest of the page and require HTTPS (optional) for ALL urls
</http>
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.