[英]Spring prevent user from accessing url through browser and ajax
我在彈簧安全配置方面遇到了麻煩。 我在下面分享我的代碼。
我的問題是我想/user*
url和/admin*
url應該只在用戶登錄我的應用程序時訪問,我的應用程序有主要的ajax調用,所以我希望沒有用戶可以訪問/user*
URL而無需登錄。但是,當我嘗試在Web瀏覽器中鍵入URL時,我甚至沒有重定向到登錄頁面,而是進入了在URL中鍵入的頁面。
所以任何人都可以幫我解決這個問題。
彈簧security.xml文件
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config="true">
<intercept-url pattern="/user**" access="ROLE_USER" />
<form-login login-page="/login" default-target-url="/user/home"
authentication-failure-url="/loginfailed" />
<logout invalidate-session="true" logout-success-url="/logout" />
</http>
<authentication-manager>
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="select USERNAME, PASSWORD from USER where USERNAME = ?"
authorities-by-username-query="ROLE_USER"
/>
</authentication-provider>
</authentication-manager>
web.xml中
<?xml version="1.0" encoding="utf-8" standalone="no"?><web-app
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="2.5"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<servlet>
<servlet-name>Admin</servlet-name>
<servlet-class>
org.springframework.web.servlet.DispatcherServlet
</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Admin</servlet-name>
<url-pattern>/admin*</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>User</servlet-name>
<servlet-class>
org.springframework.web.servlet.DispatcherServlet
</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>User</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/User-servlet.xml,
/WEB-INF/Spring-Datasource.xml,
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<welcome-file-list>
<welcome-file>index</welcome-file>
</welcome-file-list>
<servlet>
<servlet-name>SystemServiceServlet</servlet-name>
<servlet-class>com.google.api.server.spi.SystemServiceServlet</servlet-class>
<init-param>
<param-name>services</param-name>
<param-value/>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>SystemServiceServlet</servlet-name>
<url-pattern>/_ah/spi/*</url-pattern>
</servlet-mapping>
</web-app>
ControllerServlet.java
@Controller
public class UserController {
@RequestMapping(value = "/login", method = RequestMethod.GET)
public String getUserLoginPage(){
return "user/index";
}
@RequestMapping(value = "/loginfailed", method = RequestMethod.GET)
public String showErrorLoginPage(ModelMap modelMap){
modelMap.addAttribute("message", "Invalid Login Credentials");
return "user/index";
}
@RequestMapping(value = "/user/home", method = RequestMethod.GET)
public String getUserHomePage(ModelMap modelMap, Principal principal){
//String name = principal.getName();
//modelMap.addAttribute("name", name);
return "user/home";
}
@RequestMapping(value = "/logout", method = RequestMethod.GET)
public String showLogoutPage(ModelMap modelMap){
return "user/index";
}
}
數據庫設計/代碼:
create table USER(ID BIGINT NOT NULL AUTO_INCREMENT, USERNAME varchar(20) NOT NULL UNIQUE, PASSWORD varchar(20) NOT NULL, FIRSTNAME varchar(25) NOT NULL, LASTNAME varchar(25) NOT NULL, UPDATED_ON varchar(25) NOT NULL, PRIMARY KEY (ID));
登錄表格代碼:
<form class="form-horizontal" method="POST"
action="<c:url value='/j_spring_security_check' />" id="loginForm">
<div class="span4"></div>
<div class="span5" style="background-color: #FBFBFC; border: solid 1px #CCC;padding: 30px 5px 30px 5px;">
<div class="span1"></div>
<fieldset>
<legend>Login Here</legend>
<div class="control-group">
<label for="username">Username</label>
<input type="text" name="j_username" id="username"
placeholder="Username"
title="Please enter your username" data-placement="right" />
<div class="clear"></div>
<span id="errorSpan"></span>
</div>
<div class="control-group">
<label for="password">Password</label>
<input type="password" name="j_password" id="password"
placeholder="Password" title="Please enter your password"
data-placement="right" />
<div class="clear"></div>
<span id="errorSpan"></span>
</div>
<div class="control-group">
<label> </label>
<input type="submit" class="btn btn-primary" value="Sign In" />
</div>
<div class="span1"></div>
</fieldset>
</div>
<div class="span3"></div>
</form>
你的模式是錯的
pattern="/user/**"
應該是對的。
要更好地了解模式中的星星:
xx/**
表示xx
下的完整樹結構是安全的。 xx/*
表示只有xx
的數據是安全的。 xx/*.rar
在這種情況下*
是文件的通配符,因此所有.rar文件都是安全的。 希望這可以幫助。
您還應該按照用戶名 - 用戶名 -查詢的方式為authority-by-username-query指定查詢
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="select USERNAME, PASSWORD from USER where USERNAME = ?"
authorities-by-username-query="ROLE_USER"
/>
例如
authorities-by-username-query="select u.username, ur.authority from user u, user_roles ur
where u.user_id = ur.user_id and u.username =?"
還要考慮在配置中添加密碼編碼器 ,以便在數據庫中沒有純文本密碼
有兩個問題:
首先,你必須糾正地址模式:像user/**
其次,如果您對安全資源進行了安靜的調用,則可能會發生這種情況。
檢查螢火蟲。 您會看到302 redirect
作為對您的請求的回復。 在這種情況下,您最好不要使用重定向,但是給出403 access denied
響應並在您的ajax框架內手動處理它。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.