[英]Spring security fail login
我無法使用Spring Security登錄。 始終重定向到我的失敗頁面。
日志(在我發送登錄信息並通過后):
DEBUG: org.springframework.security.web.FilterChainProxy - /j_spring_security_check at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@a3a3121. A new one will be created.
DEBUG: org.springframework.security.web.FilterChainProxy - /j_spring_security_check at position 2 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /j_spring_security_check at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /j_spring_security_check at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG: org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Request is to process authentication
DEBUG: org.springframework.security.authentication.ProviderManager - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
DEBUG: org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy - Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy@57e1bde8
DEBUG: org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fec7843d: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 10.10.34.143; SessionId: 04D5F1E3C7B72570F1D4C2F7ADBC136C; Granted Authorities: ROLE_ADMIN, ROLE_USER
DEBUG: org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler - Redirecting to DefaultSavedRequest Url: http://10.10.34.143:8080/app/j_spring_security_check
DEBUG: org.springframework.security.web.DefaultRedirectStrategy - Redirecting to 'http://10.10.34.143:8080/app/j_spring_security_check'
DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@fec7843d: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fec7843d: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 10.10.34.143; SessionId: 04D5F1E3C7B72570F1D4C2F7ADBC136C; Granted Authorities: ROLE_ADMIN, ROLE_USER'
DEBUG: org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
DEBUG: org.springframework.security.web.FilterChainProxy - /j_spring_security_check at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@fec7843d: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fec7843d: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 10.10.34.143; SessionId: 04D5F1E3C7B72570F1D4C2F7ADBC136C; Granted Authorities: ROLE_ADMIN, ROLE_USER'
DEBUG: org.springframework.security.web.FilterChainProxy - /j_spring_security_check at position 2 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /j_spring_security_check at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /j_spring_security_check at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG: org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Request is to process authentication
DEBUG: org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Authentication method not supported: GET
DEBUG: org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
DEBUG: org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@1405b08
DEBUG: org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler - Redirecting to /login?error=Invalid%20user%20login%20or%20password
DEBUG: org.springframework.security.web.DefaultRedirectStrategy - Redirecting to '/app/login?error=Invalid%20user%20login%20or%20password'
DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
DEBUG: org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
DEBUG: org.springframework.security.web.FilterChainProxy - /login?error=Invalid%20user%20login%20or%20password at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@a3a3121. A new one will be created.
DEBUG: org.springframework.security.web.FilterChainProxy - /login?error=Invalid%20user%20login%20or%20password at position 2 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /login?error=Invalid%20user%20login%20or%20password at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /login?error=Invalid%20user%20login%20or%20password at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /login?error=Invalid%20user%20login%20or%20password at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /login?error=Invalid%20user%20login%20or%20password at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG: org.springframework.security.web.savedrequest.DefaultSavedRequest - pathInfo: both null (property equals)
DEBUG: org.springframework.security.web.savedrequest.DefaultSavedRequest - queryString: arg1=null; arg2=error=Invalid%20user%20login%20or%20password (property not equals)
DEBUG: org.springframework.security.web.savedrequest.HttpSessionRequestCache - saved request doesn't match
DEBUG: org.springframework.security.web.FilterChainProxy - /login?error=Invalid%20user%20login%20or%20password at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /login?error=Invalid%20user%20login%20or%20password at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG: org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@905571d8: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 10.10.34.143; SessionId: 6C4EAB97775D858B3677DC3CD0A53666; Granted Authorities: ROLE_ANONYMOUS'
DEBUG: org.springframework.security.web.FilterChainProxy - /login?error=Invalid%20user%20login%20or%20password at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /login?error=Invalid%20user%20login%20or%20password at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /login?error=Invalid%20user%20login%20or%20password at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/login'; against '/resources/**'
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/login'; against '/login'
DEBUG: org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /login?error=Invalid%20user%20login%20or%20password; Attributes: [permitAll]
DEBUG: org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@905571d8: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 10.10.34.143; SessionId: 6C4EAB97775D858B3677DC3CD0A53666; Granted Authorities: ROLE_ANONYMOUS
DEBUG: org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@34223c37, returned: 1
DEBUG: org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Authorization successful
DEBUG: org.springframework.security.web.access.intercept.FilterSecurityInterceptor - RunAsManager did not change Authentication object
DEBUG: org.springframework.security.web.FilterChainProxy - /login?error=Invalid%20user%20login%20or%20password reached end of additional filter chain; proceeding with original chain
看,我有正確的j_username添加j_password,但仍然重定向到登錄失敗頁面。
我的security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<http use-expressions="true">
<http-basic />
<form-login login-processing-url="/j_spring_security_check"
default-target-url="/homepage" login-page="/login"
authentication-failure-url="/login?error=Invalid%20user%20login%20or%20password" />
<logout logout-url="/j_spring_security_logout"
logout-success-url="/login" />
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/signup" access="permitAll" />
<intercept-url pattern="/homepage" access="isAuthenticated()" />
<intercept-url pattern="/user" access="hasRole('User')" />
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('Admin')" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user" password="user" authorities="ROLE_USER" />
<user name="admin" password="admin" authorities="ROLE_USER,ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
編輯:POST請求到j_spring_security_check后,我有GET請求到j_spring_security_check。 我不知道為什么
我的登錄頁面(index.jsp):
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Login</title>
<style type="text/css">
table {
margin-top: 10%;
padding: 40px;
border: 3px solid black;
text-align: center;
box-shadow: 0 0 5px;
border-radius: 50px;
}
td {
text-align: left
}
</style>
</head>
<body>
<div align="center">
<c:url var="loginUrl" value="/j_spring_security_check" />
<form action="${loginUrl}" method="post">
<table>
<tr>
<td><label for="login">Login:</label></td>
<td><input type="text" name="j_username" id="login"
style="width: 100%" required></td>
</tr>
<tr>
<td><label for="password">Password:</label></td>
<td><input type="password" name="j_password" id="password"
style="width: 100%" required></td>
</tr>
<tr>
<td colspan="2" style="text-align: right;"><input
type="submit" value="Sign in"></td>
</tr>
<tr>
<td colspan="2" style="color: red; text-align: left;">
<c:if test="${param.error != null}">
<c:out value="${param.error}"/>
</c:if>
</tr>
</table>
</form>
</div>
</body>
</html>
您應該在表單中添加csrf鍵作為隱藏元素:
<form action="${loginUrl}" method="post">
<table>
<tr>
<td><label for="login">Login:</label></td>
<td><input type="text" name="j_username" id="login"
style="width: 100%" required></td>
</tr>
<tr>
<td><label for="password">Password:</label></td>
<td><input type="password" name="j_password" id="password"
style="width: 100%" required></td>
</tr>
<tr>
<td colspan="2" style="text-align: right;"><input
type="submit" value="Sign in"></td>
</tr>
<tr>
<td colspan="2" style="color: red; text-align: left;">
<c:if test="${param.error != null}">
<c:out value="${param.error}"/>
</c:if>
</tr>
</table>
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
</form>
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.