[英]Spring MVC enabling Spring Security 4
我正在使用Spring 4,並嘗試為我的應用程序設置Spring Security。 我以前從未做過,所以我不知道自己在做什么錯。
在我的pom.xml中,我添加了如下的Spring安全性:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.0.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.0.3.RELEASE</version>
</dependency>
我還把它添加到了web.xml文件中:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/root-context.xml
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>contextAttribute</param-name>
<param-value>org.springframework.web.context.WebApplicationContext.ROOT</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
而且我還實現了spring-security.xml文件:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<http disable-url-rewriting="false">
<headers disabled="true"/>
<csrf disabled="true"/>
<intercept-url pattern="/login" access="permitAll"/>
<intercept-url pattern="/**" access="hasRole('ROLE_EMPLOYEE')"/>
<form-login login-page="/login"
default-target-url='/user'
always-use-default-target='true' />
<logout logout-url="/j_spring_security_logout"/>
</http>
<!-- Select users and user_roles from database -->
<authentication-manager>
<authentication-provider>
<password-encoder ref="encoder"/>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query=
"select email,password, enabled from users where email=?"
authorities-by-username-query=
"select email, role from user_roles where email =? " />
</authentication-provider>
</authentication-manager>
<beans:bean id="encoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<beans:constructor-arg name="strength" value="11" />
</beans:bean>
在LoginController中,我有方法:
@RequestMapping("/login")
public String login() {
return "login";
}
最后,還有我的login.jsp文件:
<c:url var="loginUrl" value="/j_spring_security_check" />
<form action="${loginUrl}" method="post">
<p>
<label for="j_username">User:</label>
</p>
<input type="text" id="j_username" name="j_username" />
<p>
<label for="j_password">Password:</label>
</p>
<input type="password" id="j_password" name="j_password">
<p>
<label for="_spring_security_remember_me">Remember Me</label>
</p>
<input type="checkbox" id="_spring_security_remember_me" name="_spring_security_remember_me" />
<div>
<input name="submit" type="submit" />
</div>
</form>
加載登錄頁面並提交正確的電子郵件和密碼后,我仍然停留在同一頁面上,沒有任何反應。 有任何想法嗎? 從控制台我得到這個:
22:42:33.006 [tomcat-http--29] DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9056f12c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1; SessionId: BDB553F099DA8716E7F821D89E5E51E8; Granted Authorities: ROLE_ANONYMOUS'
22:42:33.010 [tomcat-http--13] DEBUG o.s.s.w.s.HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[http://localhost:8080/project/resources/core/css/login.css]
22:42:33.010 [tomcat-http--29] DEBUG o.s.security.web.FilterChainProxy - /resources/core/css/bootstrap.min.css at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
22:42:33.012 [tomcat-http--13] DEBUG o.s.s.w.a.ExceptionTranslationFilter - Calling Authentication entry point.
22:42:33.013 [tomcat-http--29] DEBUG o.s.security.web.FilterChainProxy - /resources/core/css/bootstrap.min.css at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
22:42:33.013 [tomcat-http--13] DEBUG o.s.s.web.DefaultRedirectStrategy - Redirecting to 'http://localhost:8080/project/login'
22:42:33.014 [tomcat-http--29] DEBUG o.s.security.web.FilterChainProxy - /resources/core/css/bootstrap.min.css at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
22:42:33.014 [tomcat-http--13] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
22:42:33.014 [tomcat-http--29] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/resources/core/css/bootstrap.min.css'; against '/login'
22:42:33.014 [tomcat-http--13] DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
22:42:33.014 [tomcat-http--29] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /resources/core/css/bootstrap.min.css; Attributes: [hasRole('ROLE_EMPLOYEE')]
22:42:33.015 [tomcat-http--29] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9056f12c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1; SessionId: BDB553F099DA8716E7F821D89E5E51E8; Granted Authorities: ROLE_ANONYMOUS
22:42:33.015 [tomcat-http--29] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@7f10fd8, returned: -1
22:42:33.016 [tomcat-http--29] DEBUG o.s.s.w.a.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
在Spring Security 4中,參數名稱分別從j_username
和j_password
更改為username
和password
。 因此,重命名您的html輸入變量。
請不要禁用CSRF保護! :)將此添加到您的表單:
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
或使用spring的<form:form>
表單
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.