Java Spring JSP授权标记始终为true,始终隐藏
我们正在收听最新版本的Spring。我正在从事的项目本质上是一个博客管理者(这是一个编码训练营的顶石项目),对于我们来说,我们无法了解SpringSecurity中发生了什么。登录看起来工作正常,Spring锁定了我们从普通用户和管理员用户指定的端点。然而,Spring安全标签在JSP中似乎不起作用。无论是谁登录,Java Spring JSP授权标记始终为true,始终隐藏,java,spring,jsp,spring-mvc,tomcat,Java,Spring,Jsp,Spring Mvc,Tomcat,我们正在收听最新版本的Spring。我正在从事的项目本质上是一个博客管理者(这是一个编码训练营的顶石项目),对于我们来说,我们无法了解SpringSecurity中发生了什么。登录看起来工作正常,Spring锁定了我们从普通用户和管理员用户指定的端点。然而,Spring安全标签在JSP中似乎不起作用。无论是谁登录,authorize标记总是隐藏内容,当然,如果管理员登录,我们希望它显示出来。相关JSP代码: <%@ taglib prefix="sec" uri="http://www.s
authorize
标记总是隐藏内容,当然,如果管理员登录,我们希望它显示出来。相关JSP代码:
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags"%>
<sec:authorize access="hasRole('ROLE_ADMIN')">
<!-- stuff to hide -->
</sec:authorize>
最后是web.xml
文件中的过滤器:
<!-- #1 - Make security the default namespace -->
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- #2 - Make sure we don’t need authorization to get to the login or home page -->
<http pattern="/home" security="none"/>
<http pattern="/" security="none"/>
<http pattern="/img/**" security="none"/>
<http pattern="/css/**" security="none"/>
<http pattern="/login" security="none"/>
<http pattern="/contact" security="none"/>
<http pattern="/posts/**" security="none"/>
<http pattern="/post/**" security="none"/>
<http pattern="/pages/**" security="none"/>
<http pattern="/comments/**" security="none"/>
<http pattern="/js/**" security="none"/>
<!-- #3 - Authentication/login form and protected endpoint configuration -->
<http auto-config="true" use-expressions="false">
<!-- #3a - Login via html form, use Spring to do the security check -->
<!-- #3b - Use the login page at this endpoint -->
<!-- #3c - Redirect here if login fails -->
<form-login login-processing-url="/j_spring_security_check"
login-page="/login"
authentication-failure-url="/login?login_error=1"/>
<!-- #3d - Go back to home page when user logs out -->
<logout logout-success-url="/home" />
<!-- #3e - Access to these endpoints require admin role -->
<!--new try NO! -->
<intercept-url pattern="/admin" access="ROLE_ADMIN" />
<intercept-url pattern="/addPost" access="ROLE_ADMIN" />
<intercept-url pattern="/addPage" access="ROLE_ADMIN" />
<intercept-url pattern="/comment/**" access="ROLE_ADMIN" />
<!--<intercept-url pattern="/post" access="ROLE_ADMIN" />-->
<intercept-url pattern="/editPost/**" access="ROLE_ADMIN" />
<!-- #3f - Access to all other controller endpoints require user role -->
<intercept-url pattern="/**" access="ROLE_USER" />
</http>
<!-- #4 - Authentication Manager config -->
<authentication-manager>
<!-- #4a - Authentication Provider - we’re using the JDBC service -->
<authentication-provider>
<!-- #4b - Tells Spring Security where to look for user information -->
<!-- We use the dataSource defined in spring-persistence.xml -->
<!-- and we give Spring Security the query to use to lookup -->
<!-- the user’s credentials (get the password from the users -->
<!-- tables and get the roles from the authorities table) -->
<jdbc-user-service id="userService"
data-source-ref="dataSource"
users-by-username-query=
"select username, password, enabled from users where username=?"
authorities-by-username-query=
"select username, authority from authorities where username=?" />
</authentication-provider>
</authentication-manager>
</beans:beans>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<!-- #1a - Intercept ALL requests to this application -->
<url-pattern>/*</url-pattern>
</filter-mapping>
springSecurityFilterChain
org.springframework.web.filter.DelegatingFilterProxy
springSecurityFilterChain
/*
在搜索过程中,很多问题似乎都是由web.xml
中的过滤器顺序引起的,尤其是站点网格
,但我们没有使用站点网格
,也没有任何其他过滤器。我们还尝试将JSP标记更改为
,它仍然会隐藏该元素,无论它是什么元素、谁登录或我们将其放入什么JSP。我们中的两个人在这方面花了5个小时,现在我们完全没有想法
编辑:
问题最终出现在spring security.xml
顶部http模式中的security=“none”
。据我所知,它会阻止任何Spring安全过滤器在指定的url模式上正常工作。我们通过在intercept url
s上添加我们需要的安全特性来修复它
例如:
将其向下移动到其他截取URL并更改为:
您要访问哪些URL?我之所以问这个问题,是因为通过转到“/home”、““/posts”等方式呈现的任何JSP(配置中与第2节匹配的任何内容)都无法使用这些标记。标记将起作用的唯一JSP是那些响应“/admin”、“/addPost”等的JSP。是的,我们刚刚解决了这个问题,并根据我的编辑修复了这个问题。非常感谢!