Spring security 提交表單后返回登錄頁面
[英]Spring security returns login page after submitting form
問題描述
我有一個 Spring Boot Web 應用程序存在身份驗證問題。 在我輸入正確的用戶名和密碼后,表單提交並靜默返回到登錄表單。
我試圖調試並查看發生了什么,但我無法理解。 任何幫助深表感謝。
這是我的安全配置類。
private static final String[] PUBLIC_MATCHERS = {
"/webjars/**,
"/css/**,
"/js/**,
...
}
http
.sessionManagement()
.maximumSessions(100)
.maxSessionsPreventsLogin(false)
.expiredUrl("/expired-url")
.sessionRegistry(securityBeans.sessionRegistry());
http
.authorizeRequests()
.antMatchers(PUBLIC_MATCHERS).permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login").permitAll()
.defaultSuccessUrl("/dashboard")
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/login?logout")
.deleteCookies("remember-me").deleteCookies("JSESSIONID")
.invalidateHttpSession(true).permitAll()
.and()
.httpBasic();
提交表單調試后的日志如下。
2020-01-28 18:10:45.398 INFO 29168 --- [nio-8080-exec-3] Spring Security Debugger :
************************************************************
Request received for POST '/login':
org.apache.catalina.connector.RequestFacade@442276e5
servletPath:/login
pathInfo:null
headers:
host: localhost:8080
connection: keep-alive
content-length: 69
cache-control: max-age=0
origin: http://localhost:8080
upgrade-insecure-requests: 1
content-type: application/x-www-form-urlencoded
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
sec-fetch-user: ?1
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: same-origin
sec-fetch-mode: navigate
referer: http://localhost:8080/login
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: JSESSIONID=5F80F076DD57E7CDE52F1B24EC1BB8EF
Security filter chain: [
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
LogoutFilter
UsernamePasswordAuthenticationFilter
ConcurrentSessionFilter
BasicAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
Hibernate:
select
user0_.id as id1_14_,
user0_.created_at as created_2_14_,
user0_.created_by as created_3_14_,
2020-01-28 18:10:46.155 INFO 29168 --- [io-8080-exec-10] Spring Security Debugger :
************************************************************
Request received for GET '/dashboard':
org.apache.catalina.connector.RequestFacade@442276e5
servletPath:/dashboard
pathInfo:null
headers:
host: localhost:8080
connection: keep-alive
cache-control: max-age=0
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
sec-fetch-user: ?1
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: same-origin
sec-fetch-mode: navigate
referer: http://localhost:8080/login
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: JSESSIONID=4244FB8F7CE22B64766E8E97B6CB97EC
************************************************************
2020-01-28 18:10:46.168 INFO 29168 --- [nio-8080-exec-4] Spring Security Debugger :
************************************************************
Request received for GET '/login':
org.apache.catalina.connector.RequestFacade@442276e5
servletPath:/login
pathInfo:null
headers:
host: localhost:8080
connection: keep-alive
cache-control: max-age=0
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
sec-fetch-user: ?1
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: same-origin
sec-fetch-mode: navigate
referer: http://localhost:8080/login
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: JSESSIONID=4244FB8F7CE22B64766E8E97B6CB97EC
返回瀏覽器后的響應示例在這里
Request URL: http://localhost:8080/login
Request Method: POST
Status Code: 302 /
- Request Headers
Accept: text/html, application/xhtml+xml, application/xml; q=0.9, */*; q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US
Cache-Control: max-age=0
Content-Length: 109
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=9FFAEA5655FE807B88490B358E89894D
Host:localhost:8080
Referer: http://localhost:8080/login
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362
- Response Headers
cache-control: no-cache, no-store, max-age=0, must-revalidate
content-length: 0
date: Wed, 29 Jan 2020 07:20:35 GMT
expires: 0
location: http://localhost:8080/login
pragma: no-cache
server: nginx/1.16.1
set-cookie: JSESSIONID=68D2982DB1B8022C2EBED7A05C96D67B; Path=/; HttpOnly
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1; mode=block
即使在登錄表單中注入了 CSRF 令牌,它也不會綁定到請求
<form class="form-horizontal form-material" id="loginform"
method="post"
th:action="@{/login}">
<h3 class="text-center m-b-10">Sign In</h3>
<div class="form-group ">
<div class="col-xs-12">
<input autofocus class="form-control" id="username"
name="username" placeholder="Email" required type="email">
</div>
</div>
<div class="form-group ">
<div class="col-xs-12">
<input class="form-control" id="password"
name="password"
placeholder="Password" required
th:placeholder="#{login.password.text}" type="password">
</div>
</div>
<div class="form-group row">
<div class="col-md-12">
<div class="d-flex no-block align-items-center">
<div class="custom-control custom-checkbox">
<input checked class="custom-control-input" id="remember-me"
name="remember-me" type="checkbox">
<label class="custom-control-label" for="remember-me">Remember me</label>
</div>
<div class="ml-auto">
<a class="text-muted" href="javascript:void(0)" id="to-recover"><i
class="fas fa-lock m-r-5"></i> Forgot pwd?</a>
</div>
</div>
</div>
</div>
<div class="form-group text-center p-b-0">
<div class="col-xs-12">
<button class="btn btn-info btn-lg btn-block btn-rounded text-uppercase waves-effect waves-light"
type="submit">Log In
</button>
</div>
</div>
<div class="form-group m-b-0">
<div class="col-sm-12 text-center">
Don't have an account? <a
class="text-info m-l-5"
th:href="@{/sign-up}"><b>Sign
Up</b></a> <a class="float-right" th:href="@{/}">Home</a>
</div>
</div>
</form>
3 個解決方案
解決方案1
0 2020-02-03 13:12:48
當您擁有登錄頁面時刪除 httpBasic。 我認為這兩種證券都適用於您的配置。
.and()
//Delete this line
.httpBasic();
解決方案2
0 2020-02-05 06:05:11
為了讓CsrfTokenRepository在 cookie ( XSRF-TOKEN ) 或 HttpSession 中持久化 CSRF 令牌,請求應該在名為X-XSRF-TOKEN的標頭中傳遞令牌。
在此自定義標頭中傳遞 XSRF 令牌值。 像這樣的東西:
--header 'X-XSRF-TOKEN: 3993871d-d15b-4932-a74f-744769132d86'
解決方案3
0 已采納 2020-02-10 07:36:33
我通過不使用安全 cookie 和 httpOnly 設置解決了這個問題。 我必須根據 aws 支持的響應啟用粘性。
“您可以使用粘性會話功能,它使負載均衡器能夠將用戶的會話綁定到特定實例。這可以確保會話期間來自用戶的所有請求都發送到同一個實例。請嘗試在下面啟用“會話粘性”您的應用程序的負載平衡器配置”
完成這些設置后,一切正常。
春季安全性:用戶注冊用戶並在登錄頁面后重定向到后,SecurityContextHolder.getContext()。getAuthentication()返回null
[英]Spring Security: SecurityContextHolder.getContext().getAuthentication() returns null after user registering user and redirecting to after login page
Spring Security和cors一起給出302並返回登錄頁面
[英]Spring Security Along with cors gives 302 and returns login page
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
Spring 盡管 permitAll 安全返回登錄頁面
使用Spring Security登錄頁面進行表單驗證
春季安全性:用戶注冊用戶並在登錄頁面后重定向到后,SecurityContextHolder.getContext()。getAuthentication()返回null
在Spring Security中登錄后如何恢復表格?
在我的春季登錄表單中,提交表單后網址已更改
Spring Security:登錄后頁面不會重定向
Spring Security表單登錄
Spring Security登錄表單
Spring Security登錄頁面
Spring Security和cors一起給出302並返回登錄頁面
相關標簽