堆棧內存溢出
  簡體   English   中英

Spring MVC啟用Spring Security 4

[英]Spring MVC enabling Spring Security 4

 原文  2015-11-24 21:47:12       java/ spring-mvc/ spring-security

問題描述

我正在使用Spring 4,並嘗試為我的應用程序設置Spring Security。 我以前從未做過,所以我不知道自己在做什么錯。

在我的pom.xml中,我添加了如下的Spring安全性: 

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-web</artifactId>
        <version>4.0.3.RELEASE</version>
    </dependency>

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-config</artifactId>
        <version>4.0.3.RELEASE</version>
    </dependency>

我還把它添加到了web.xml文件中: 

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/spring/root-context.xml
     /WEB-INF/spring-security.xml
    </param-value>
</context-param>

    <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    <init-param>
        <param-name>contextAttribute</param-name>
        <param-value>org.springframework.web.context.WebApplicationContext.ROOT</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

而且我還實現了spring-security.xml文件: 

    <beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">

    <http disable-url-rewriting="false">
    <headers disabled="true"/>
    <csrf disabled="true"/>

    <intercept-url pattern="/login" access="permitAll"/>
    <intercept-url pattern="/**" access="hasRole('ROLE_EMPLOYEE')"/>
    <form-login login-page="/login"
    default-target-url='/user'
    always-use-default-target='true' />
    <logout logout-url="/j_spring_security_logout"/>
</http>

<!-- Select users and user_roles from database -->
<authentication-manager>
  <authentication-provider>
  <password-encoder ref="encoder"/>
    <jdbc-user-service data-source-ref="dataSource"
      users-by-username-query=
        "select email,password, enabled from users where email=?"
      authorities-by-username-query=
        "select email, role from user_roles where email =?  " />
  </authentication-provider>
</authentication-manager>

<beans:bean id="encoder" 
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<beans:constructor-arg name="strength" value="11" />
</beans:bean>

在LoginController中,我有方法: 

    @RequestMapping("/login")
public String login() {
    return "login";
}

最后,還有我的login.jsp文件: 

            <c:url var="loginUrl" value="/j_spring_security_check" />
        <form action="${loginUrl}" method="post">
            <p>
                <label for="j_username">User:</label>
            </p>    
            <input type="text" id="j_username" name="j_username" />
            <p>
                <label for="j_password">Password:</label>
            </p>
            <input type="password" id="j_password" name="j_password">
            <p>
                <label for="_spring_security_remember_me">Remember Me</label>
            </p>
                <input type="checkbox" id="_spring_security_remember_me" name="_spring_security_remember_me" />
            <div>
                <input name="submit" type="submit" />
            </div>
        </form>

加載登錄頁面並提交正確的電子郵件和密碼后,我仍然停留在同一頁面上,沒有任何反應。 有任何想法嗎? 從控制台我得到這個: 

22:42:33.006 [tomcat-http--29] DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9056f12c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1; SessionId: BDB553F099DA8716E7F821D89E5E51E8; Granted Authorities: ROLE_ANONYMOUS'
22:42:33.010 [tomcat-http--13] DEBUG o.s.s.w.s.HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[http://localhost:8080/project/resources/core/css/login.css]
22:42:33.010 [tomcat-http--29] DEBUG o.s.security.web.FilterChainProxy - /resources/core/css/bootstrap.min.css at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
22:42:33.012 [tomcat-http--13] DEBUG o.s.s.w.a.ExceptionTranslationFilter - Calling Authentication entry point.
22:42:33.013 [tomcat-http--29] DEBUG o.s.security.web.FilterChainProxy - /resources/core/css/bootstrap.min.css at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
22:42:33.013 [tomcat-http--13] DEBUG o.s.s.web.DefaultRedirectStrategy - Redirecting to 'http://localhost:8080/project/login'
22:42:33.014 [tomcat-http--29] DEBUG o.s.security.web.FilterChainProxy - /resources/core/css/bootstrap.min.css at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
22:42:33.014 [tomcat-http--13] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
22:42:33.014 [tomcat-http--29] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/resources/core/css/bootstrap.min.css'; against '/login'
22:42:33.014 [tomcat-http--13] DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
22:42:33.014 [tomcat-http--29] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /resources/core/css/bootstrap.min.css; Attributes: [hasRole('ROLE_EMPLOYEE')]
22:42:33.015 [tomcat-http--29] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9056f12c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1; SessionId: BDB553F099DA8716E7F821D89E5E51E8; Granted Authorities: ROLE_ANONYMOUS
22:42:33.015 [tomcat-http--29] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@7f10fd8, returned: -1
22:42:33.016 [tomcat-http--29] DEBUG o.s.s.w.a.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied

1 個解決方案

解決方案1
 2  2015-11-25 20:23:15

在Spring Security 4中,參數名稱分別從j_usernamej_password更改為usernamepassword 因此,重命名您的html輸入變量。

http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-xml.html#m3to4-xmlnamespace-form-login

請不要禁用CSRF保護! :)將此添加到您的表單: 

<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>

或使用spring的<form:form>表單

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 在春季安全標簽中啟用CORS 在沒有AbstractSecurityWebApplicationInitializer的情況下啟用Spring Security 彈簧安全沒有彈簧mvc Spring MVC 和 Spring 安全集成 Spring 3 MVC +安全性 Spring 4 MVC +安全問題 AngularJS和Spring MVC安全性 Spring 安全性:REST 帶 MVC MVC中的Spring安全性配置 Spring MVC安全性不起作用
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM