Java 如何在spring boot中配置自定义AccessDecisionManager和自定义AuthenticationProvider
下面是我的安全配置文件,我想将其更改为java配置Java 如何在spring boot中配置自定义AccessDecisionManager和自定义AuthenticationProvider,java,spring,spring-mvc,spring-boot,spring-security,Java,Spring,Spring Mvc,Spring Boot,Spring Security,下面是我的安全配置文件,我想将其更改为java配置 <beans:bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor"> <beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="securityMetadataSource" ref="securityMetadataSource" />
</beans:bean>
<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider ref="customAuthentication"></authentication-provider>
</authentication-manager>
<beans:bean name="accessDecisionManager" class="com.xy.security.CustomAccessDecisionManager" ></beans:bean>
<beans:bean name="securityMetadataSource" class="com..xy.security.InvocationSecurityMetadataSourceService">
</beans:bean>
<beans:bean id="customAuthentication" class="com.xy.security.CustomAuthentication" />
<beans:bean id="securityExceptionTranslationHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<beans:property name="exceptionMappings">
<beans:props>
<beans:prop key="org.springframework.security.authentication.CredentialsExpiredException">/changepassword.xhtml</beans:prop>
</beans:props>
</beans:property>
<beans:property name="defaultFailureUrl" value="/login.jsp" />
</beans:bean> ====================================================
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private CustomAuthentication customAuthentication;
@Autowired
private CustomAccessDecisionManager customAccessDecisionManager;
@Autowired
private InvocationSecurityMetadataSourceService invocationSecurityMetadataSourceService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(customAuthentication);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/login*","/favicon.ico","/","/**/*.css" ,"/images/*.*","/js/*.js","/bt-fonts/*.*").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login")
.defaultSuccessUrl("/admin*")
.failureUrl("/login?error=true")
.and()
.logout().logoutSuccessUrl("/login").invalidateHttpSession(true).deleteCookies("true")
.and()
.authenticationProvider(customAuthentication)
//.accessDecisionManager(customAccessDecisionManager)
//.authorizeRequests().accessDecisionManager(customAccessDecisionManager)
//.csrf().disable()
;
}
<beans:bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="securityMetadataSource" ref="securityMetadataSource" />
</beans:bean>
<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider ref="customAuthentication"></authentication-provider>
</authentication-manager>
<beans:bean name="accessDecisionManager" class="com.xy.security.CustomAccessDecisionManager" ></beans:bean>
<beans:bean name="securityMetadataSource" class="com..xy.security.InvocationSecurityMetadataSourceService">
</beans:bean>
<beans:bean id="customAuthentication" class="com.xy.security.CustomAuthentication" />
<beans:bean id="securityExceptionTranslationHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<beans:property name="exceptionMappings">
<beans:props>
<beans:prop key="org.springframework.security.authentication.CredentialsExpiredException">/changepassword.xhtml</beans:prop>
</beans:props>
</beans:property>
<beans:property name="defaultFailureUrl" value="/login.jsp" />
</beans:bean> ====================================================
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private CustomAuthentication customAuthentication;
@Autowired
private CustomAccessDecisionManager customAccessDecisionManager;
@Autowired
private InvocationSecurityMetadataSourceService invocationSecurityMetadataSourceService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(customAuthentication);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/login*","/favicon.ico","/","/**/*.css" ,"/images/*.*","/js/*.js","/bt-fonts/*.*").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login")
.defaultSuccessUrl("/admin*")
.failureUrl("/login?error=true")
.and()
.logout().logoutSuccessUrl("/login").invalidateHttpSession(true).deleteCookies("true")
.and()
.authenticationProvider(customAuthentication)
//.accessDecisionManager(customAccessDecisionManager)
//.authorizeRequests().accessDecisionManager(customAccessDecisionManager)
//.csrf().disable()
;
}
我有一个类,其中有自定义的身份验证逻辑
<beans:bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="securityMetadataSource" ref="securityMetadataSource" />
</beans:bean>
<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider ref="customAuthentication"></authentication-provider>
</authentication-manager>
<beans:bean name="accessDecisionManager" class="com.xy.security.CustomAccessDecisionManager" ></beans:bean>
<beans:bean name="securityMetadataSource" class="com..xy.security.InvocationSecurityMetadataSourceService">
</beans:bean>
<beans:bean id="customAuthentication" class="com.xy.security.CustomAuthentication" />
<beans:bean id="securityExceptionTranslationHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<beans:property name="exceptionMappings">
<beans:props>
<beans:prop key="org.springframework.security.authentication.CredentialsExpiredException">/changepassword.xhtml</beans:prop>
</beans:props>
</beans:property>
<beans:property name="defaultFailureUrl" value="/login.jsp" />
</beans:bean> ====================================================
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private CustomAuthentication customAuthentication;
@Autowired
private CustomAccessDecisionManager customAccessDecisionManager;
@Autowired
private InvocationSecurityMetadataSourceService invocationSecurityMetadataSourceService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(customAuthentication);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/login*","/favicon.ico","/","/**/*.css" ,"/images/*.*","/js/*.js","/bt-fonts/*.*").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login")
.defaultSuccessUrl("/admin*")
.failureUrl("/login?error=true")
.and()
.logout().logoutSuccessUrl("/login").invalidateHttpSession(true).deleteCookies("true")
.and()
.authenticationProvider(customAuthentication)
//.accessDecisionManager(customAccessDecisionManager)
//.authorizeRequests().accessDecisionManager(customAccessDecisionManager)
//.csrf().disable()
;
}
public class CustomAccessDecisionManager implements AccessDecisionManager{
-@Override
public Authentication authenticate(Authentication authentication){
public class CustomAuthentication implements AuthenticationProvider{
@Override
public void decide(Authentication arg0, Object object, Collection<ConfigAttribute> arg2)
//这里有一些代码
}
<beans:bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="securityMetadataSource" ref="securityMetadataSource" />
</beans:bean>
<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider ref="customAuthentication"></authentication-provider>
</authentication-manager>
<beans:bean name="accessDecisionManager" class="com.xy.security.CustomAccessDecisionManager" ></beans:bean>
<beans:bean name="securityMetadataSource" class="com..xy.security.InvocationSecurityMetadataSourceService">
</beans:bean>
<beans:bean id="customAuthentication" class="com.xy.security.CustomAuthentication" />
<beans:bean id="securityExceptionTranslationHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<beans:property name="exceptionMappings">
<beans:props>
<beans:prop key="org.springframework.security.authentication.CredentialsExpiredException">/changepassword.xhtml</beans:prop>
</beans:props>
</beans:property>
<beans:property name="defaultFailureUrl" value="/login.jsp" />
</beans:bean> ====================================================
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private CustomAuthentication customAuthentication;
@Autowired
private CustomAccessDecisionManager customAccessDecisionManager;
@Autowired
private InvocationSecurityMetadataSourceService invocationSecurityMetadataSourceService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(customAuthentication);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/login*","/favicon.ico","/","/**/*.css" ,"/images/*.*","/js/*.js","/bt-fonts/*.*").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login")
.defaultSuccessUrl("/admin*")
.failureUrl("/login?error=true")
.and()
.logout().logoutSuccessUrl("/login").invalidateHttpSession(true).deleteCookies("true")
.and()
.authenticationProvider(customAuthentication)
//.accessDecisionManager(customAccessDecisionManager)
//.authorizeRequests().accessDecisionManager(customAccessDecisionManager)
//.csrf().disable()
;
}
还有另一个类,如下面所示,我有自定义的授权逻辑
<beans:bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="securityMetadataSource" ref="securityMetadataSource" />
</beans:bean>
<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider ref="customAuthentication"></authentication-provider>
</authentication-manager>
<beans:bean name="accessDecisionManager" class="com.xy.security.CustomAccessDecisionManager" ></beans:bean>
<beans:bean name="securityMetadataSource" class="com..xy.security.InvocationSecurityMetadataSourceService">
</beans:bean>
<beans:bean id="customAuthentication" class="com.xy.security.CustomAuthentication" />
<beans:bean id="securityExceptionTranslationHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<beans:property name="exceptionMappings">
<beans:props>
<beans:prop key="org.springframework.security.authentication.CredentialsExpiredException">/changepassword.xhtml</beans:prop>
</beans:props>
</beans:property>
<beans:property name="defaultFailureUrl" value="/login.jsp" />
</beans:bean> ====================================================
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private CustomAuthentication customAuthentication;
@Autowired
private CustomAccessDecisionManager customAccessDecisionManager;
@Autowired
private InvocationSecurityMetadataSourceService invocationSecurityMetadataSourceService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(customAuthentication);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/login*","/favicon.ico","/","/**/*.css" ,"/images/*.*","/js/*.js","/bt-fonts/*.*").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login")
.defaultSuccessUrl("/admin*")
.failureUrl("/login?error=true")
.and()
.logout().logoutSuccessUrl("/login").invalidateHttpSession(true).deleteCookies("true")
.and()
.authenticationProvider(customAuthentication)
//.accessDecisionManager(customAccessDecisionManager)
//.authorizeRequests().accessDecisionManager(customAccessDecisionManager)
//.csrf().disable()
;
}
public class CustomAccessDecisionManager implements AccessDecisionManager{
-@Override
public Authentication authenticate(Authentication authentication){
public class CustomAuthentication implements AuthenticationProvider{
@Override
public void decide(Authentication arg0, Object object, Collection<ConfigAttribute> arg2)
第一个(我建议)是更新配置以包含WebExpressionVoter。例如:
<beans:bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="securityMetadataSource" ref="securityMetadataSource" />
</beans:bean>
<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider ref="customAuthentication"></authentication-provider>
</authentication-manager>
<beans:bean name="accessDecisionManager" class="com.xy.security.CustomAccessDecisionManager" ></beans:bean>
<beans:bean name="securityMetadataSource" class="com..xy.security.InvocationSecurityMetadataSourceService">
</beans:bean>
<beans:bean id="customAuthentication" class="com.xy.security.CustomAuthentication" />
<beans:bean id="securityExceptionTranslationHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<beans:property name="exceptionMappings">
<beans:props>
<beans:prop key="org.springframework.security.authentication.CredentialsExpiredException">/changepassword.xhtml</beans:prop>
</beans:props>
</beans:property>
<beans:property name="defaultFailureUrl" value="/login.jsp" />
</beans:bean> ====================================================
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private CustomAuthentication customAuthentication;
@Autowired
private CustomAccessDecisionManager customAccessDecisionManager;
@Autowired
private InvocationSecurityMetadataSourceService invocationSecurityMetadataSourceService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(customAuthentication);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/login*","/favicon.ico","/","/**/*.css" ,"/images/*.*","/js/*.js","/bt-fonts/*.*").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login")
.defaultSuccessUrl("/admin*")
.failureUrl("/login?error=true")
.and()
.logout().logoutSuccessUrl("/login").invalidateHttpSession(true).deleteCookies("true")
.and()
.authenticationProvider(customAuthentication)
//.accessDecisionManager(customAccessDecisionManager)
//.authorizeRequests().accessDecisionManager(customAccessDecisionManager)
//.csrf().disable()
;
}
@Bean
public AccessDecissionManager defaultAccessDecisionManager() {
List<AccessDecisionVoter<FilterInvocation>> voters = new ArrayList<AccessDecisionVoter<FilterInvocation>>();
voters.add(new WebExpressionVoter());
voters.add(new CustomVoter());
AccessDecissionManager result = new UnanimousBased();
result.setDecisionVoters(voters);
return result;
}
}
<beans:bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="securityMetadataSource" ref="securityMetadataSource" />
</beans:bean>
<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider ref="customAuthentication"></authentication-provider>
</authentication-manager>
<beans:bean name="accessDecisionManager" class="com.xy.security.CustomAccessDecisionManager" ></beans:bean>
<beans:bean name="securityMetadataSource" class="com..xy.security.InvocationSecurityMetadataSourceService">
</beans:bean>
<beans:bean id="customAuthentication" class="com.xy.security.CustomAuthentication" />
<beans:bean id="securityExceptionTranslationHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<beans:property name="exceptionMappings">
<beans:props>
<beans:prop key="org.springframework.security.authentication.CredentialsExpiredException">/changepassword.xhtml</beans:prop>
</beans:props>
</beans:property>
<beans:property name="defaultFailureUrl" value="/login.jsp" />
</beans:bean> ====================================================
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private CustomAuthentication customAuthentication;
@Autowired
private CustomAccessDecisionManager customAccessDecisionManager;
@Autowired
private InvocationSecurityMetadataSourceService invocationSecurityMetadataSourceService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(customAuthentication);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/login*","/favicon.ico","/","/**/*.css" ,"/images/*.*","/js/*.js","/bt-fonts/*.*").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login")
.defaultSuccessUrl("/admin*")
.failureUrl("/login?error=true")
.and()
.logout().logoutSuccessUrl("/login").invalidateHttpSession(true).deleteCookies("true")
.and()
.authenticationProvider(customAuthentication)
//.accessDecisionManager(customAccessDecisionManager)
//.authorizeRequests().accessDecisionManager(customAccessDecisionManager)
//.csrf().disable()
;
}
第一个(我建议)是更新配置以包含WebExpressionVoter。例如:
<beans:bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="securityMetadataSource" ref="securityMetadataSource" />
</beans:bean>
<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider ref="customAuthentication"></authentication-provider>
</authentication-manager>
<beans:bean name="accessDecisionManager" class="com.xy.security.CustomAccessDecisionManager" ></beans:bean>
<beans:bean name="securityMetadataSource" class="com..xy.security.InvocationSecurityMetadataSourceService">
</beans:bean>
<beans:bean id="customAuthentication" class="com.xy.security.CustomAuthentication" />
<beans:bean id="securityExceptionTranslationHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<beans:property name="exceptionMappings">
<beans:props>
<beans:prop key="org.springframework.security.authentication.CredentialsExpiredException">/changepassword.xhtml</beans:prop>
</beans:props>
</beans:property>
<beans:property name="defaultFailureUrl" value="/login.jsp" />
</beans:bean> ====================================================
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private CustomAuthentication customAuthentication;
@Autowired
private CustomAccessDecisionManager customAccessDecisionManager;
@Autowired
private InvocationSecurityMetadataSourceService invocationSecurityMetadataSourceService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(customAuthentication);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/login*","/favicon.ico","/","/**/*.css" ,"/images/*.*","/js/*.js","/bt-fonts/*.*").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login")
.defaultSuccessUrl("/admin*")
.failureUrl("/login?error=true")
.and()
.logout().logoutSuccessUrl("/login").invalidateHttpSession(true).deleteCookies("true")
.and()
.authenticationProvider(customAuthentication)
//.accessDecisionManager(customAccessDecisionManager)
//.authorizeRequests().accessDecisionManager(customAccessDecisionManager)
//.csrf().disable()
;
}
@Bean
public AccessDecissionManager defaultAccessDecisionManager() {
List<AccessDecisionVoter<FilterInvocation>> voters = new ArrayList<AccessDecisionVoter<FilterInvocation>>();
voters.add(new WebExpressionVoter());
voters.add(new CustomVoter());
AccessDecissionManager result = new UnanimousBased();
result.setDecisionVoters(voters);
return result;
}
}
<beans:bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="securityMetadataSource" ref="securityMetadataSource" />
</beans:bean>
<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider ref="customAuthentication"></authentication-provider>
</authentication-manager>
<beans:bean name="accessDecisionManager" class="com.xy.security.CustomAccessDecisionManager" ></beans:bean>
<beans:bean name="securityMetadataSource" class="com..xy.security.InvocationSecurityMetadataSourceService">
</beans:bean>
<beans:bean id="customAuthentication" class="com.xy.security.CustomAuthentication" />
<beans:bean id="securityExceptionTranslationHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<beans:property name="exceptionMappings">
<beans:props>
<beans:prop key="org.springframework.security.authentication.CredentialsExpiredException">/changepassword.xhtml</beans:prop>
</beans:props>
</beans:property>
<beans:property name="defaultFailureUrl" value="/login.jsp" />
</beans:bean> ====================================================
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private CustomAuthentication customAuthentication;
@Autowired
private CustomAccessDecisionManager customAccessDecisionManager;
@Autowired
private InvocationSecurityMetadataSourceService invocationSecurityMetadataSourceService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(customAuthentication);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/login*","/favicon.ico","/","/**/*.css" ,"/images/*.*","/js/*.js","/bt-fonts/*.*").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login")
.defaultSuccessUrl("/admin*")
.failureUrl("/login?error=true")
.and()
.logout().logoutSuccessUrl("/login").invalidateHttpSession(true).deleteCookies("true")
.and()
.authenticationProvider(customAuthentication)
//.accessDecisionManager(customAccessDecisionManager)
//.authorizeRequests().accessDecisionManager(customAccessDecisionManager)
//.csrf().disable()
;
}
您是否收到异常情况?如果是这样,请发布stacktrace。我在SecurityConfig类中配置的CustomAuthentication和customAccessMgr是否有任何错误?如果我配置的是csrf().disable(),则控件将不会返回任何位置,它将再次返回到我的登录页。在删除csrf()并输入userid和pwd之后,控件将进入相应的jsp页面,但控件不会进入我的CustomAuthentication和customAccessMgr类。在浏览器中,它给出了错误------此应用程序没有/error的显式映射,因此您将此视为回退。出现意外错误(类型=禁止,状态=403)。在请求参数“\u CSRF”或标头“X-CSRF-Token”上发现无效的CSRF令牌“null”。是否收到异常?如果是这样,请发布stacktrace。我在SecurityConfig类中配置的CustomAuthentication和customAccessMgr是否有任何错误?如果我配置的是csrf().disable(),则控件将不会返回任何位置,它将再次返回到我的登录页。在删除csrf()并输入userid和pwd之后,控件将进入相应的jsp页面,但控件不会进入我的CustomAuthentication和customAccessMgr类。在浏览器中,它给出了错误------此应用程序没有/error的显式映射,因此您将此视为回退。出现意外错误(类型=禁止,状态=403)。在请求参数“\u CSRF”或标头“X-CSRF-Token”上发现无效的CSRF令牌“null”。
<beans:bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="securityMetadataSource" ref="securityMetadataSource" />
</beans:bean>
<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider ref="customAuthentication"></authentication-provider>
</authentication-manager>
<beans:bean name="accessDecisionManager" class="com.xy.security.CustomAccessDecisionManager" ></beans:bean>
<beans:bean name="securityMetadataSource" class="com..xy.security.InvocationSecurityMetadataSourceService">
</beans:bean>
<beans:bean id="customAuthentication" class="com.xy.security.CustomAuthentication" />
<beans:bean id="securityExceptionTranslationHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<beans:property name="exceptionMappings">
<beans:props>
<beans:prop key="org.springframework.security.authentication.CredentialsExpiredException">/changepassword.xhtml</beans:prop>
</beans:props>
</beans:property>
<beans:property name="defaultFailureUrl" value="/login.jsp" />
</beans:bean> ====================================================
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private CustomAuthentication customAuthentication;
@Autowired
private CustomAccessDecisionManager customAccessDecisionManager;
@Autowired
private InvocationSecurityMetadataSourceService invocationSecurityMetadataSourceService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(customAuthentication);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/login*","/favicon.ico","/","/**/*.css" ,"/images/*.*","/js/*.js","/bt-fonts/*.*").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login")
.defaultSuccessUrl("/admin*")
.failureUrl("/login?error=true")
.and()
.logout().logoutSuccessUrl("/login").invalidateHttpSession(true).deleteCookies("true")
.and()
.authenticationProvider(customAuthentication)
//.accessDecisionManager(customAccessDecisionManager)
//.authorizeRequests().accessDecisionManager(customAccessDecisionManager)
//.csrf().disable()
;
}