Java spring安全用户名PasswordAuthenticationFilter url匹配问题_Java_Spring_Security

Java spring安全用户名PasswordAuthenticationFilter url匹配问题

java spring security

Java spring安全用户名PasswordAuthenticationFilter url匹配问题,java,spring,security,Java,Spring,Security,我将spring安全默认设置“/j_security_check”url更改为“/check”，当我登录到我的系统时，我键入url“”，它将转到页面右侧，但当我向这个url添加“check”字符串append时，如“”，它将进入我的自定义用户名PasswordAuthenticationFilterCustom筛选器，任何url append“check”都会这样做，我不知道为什么 <beans:beans xmlns="http://www.springframework.org

我将spring安全默认设置“/j_security_check”url更改为“/check”，当我登录到我的系统时，我键入url“”，它将转到页面右侧，但当我向这个url添加“check”字符串append时，如“”，它将进入我的自定义用户名PasswordAuthenticationFilterCustom筛选器，任何url append“check”都会这样做，我不知道为什么

    <beans:beans xmlns="http://www.springframework.org/schema/security" 
xmlns:beans="http://www.springframework.org/schema/beans" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- HTTP security configurations -->
<http pattern="/favicon.ico" security="none"/>
<http pattern="/statics/**" security="none"/>
<http pattern="/forgotPasswords/**" security="none"/>
<http pattern="/messages/**" security="none"/>
<http pattern="/sessions/**" security="none"/>
<!--<http pattern="/preferences/reLogin" security="none"/>-->
<http pattern="/javascript/message/**" security="none"/>
<http pattern="/dualLogin" security="none"/>
<http pattern="/inbound" security="none"/>
<http pattern="/twilio/**" security="none"/>
<http pattern="/download/async/**" security="none"/>
<beans:bean id="usernamePasswordAuthenticationFilterCustom" class="com.everbridge.platform.security.extension.UsernamePasswordAuthenticationFilterCustom">
    <beans:property name="authenticationSuccessHandler" ref="authenticationSuccessHandler"/>
    <beans:property name="sessionAuthenticationStrategy" ref="sas" />
    <beans:property name="passwordParameter" value="password"/>
    <beans:property name="usernameParameter" value="username"/>
    <beans:property name="allowSessionCreation" value="true"/>
    <beans:property name="filterProcessesUrl" value="/check"/>
    <beans:property name="authenticationManager" ref="authenticationManagerCustom"/>
    <beans:property name="authenticationFailureHandler" ref="authenticationFailureHandler"/>
    <beans:property name="userService" ref="userService" />
    <beans:property name="roleService" ref="roleService" />
    <beans:property name="accountService" ref="accountService" />
    <beans:property name="featureService" ref="featureService" />
    <beans:property name="moduleService" ref="moduleService"/>
    <beans:property name="permissionService" ref="permissionService"/>
</beans:bean>

<http entry-point-ref="authenticationEntryPoint" auto-config="false" use-expressions="true">
    <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
    <custom-filter position="FORM_LOGIN_FILTER" ref="usernamePasswordAuthenticationFilterCustom" />
    <custom-filter ref="filterSecurityInterceptor" before="FILTER_SECURITY_INTERCEPTOR" />
    <custom-filter ref="afterLoginInterceptor" after="LAST" />
    <logout logout-url="/logout" />
    <intercept-url pattern="/login" access="permitAll" requires-channel="any"/>
    <intercept-url pattern="/switch" access="permitAll" requires-channel="any"/>
    <intercept-url pattern="/api/**" access="permitAll" requires-channel="any"/>
    <intercept-url pattern="/m/switcher" access="permitAll" requires-channel="any"/>
    <intercept-url pattern="/m" access="permitAll" requires-channel="any"/>
    <intercept-url pattern="/logout" access="permitAll" requires-channel="any"/>
    <intercept-url pattern="/check" access="permitAll" requires-channel="any"/>
    <intercept-url pattern="/registers/**" access="permitAll" requires-channel="any"/>
    <intercept-url pattern="/preferences/**" access="permitAll" requires-channel="any"/>
    <intercept-url pattern="/information/**" access="permitAll" requires-channel="any"/>
    <intercept-url pattern="/**" access="isAuthenticated()" requires-channel="any"/>

    <access-denied-handler ref="accessDeniedHandlerCustom"/>
    <session-management session-authentication-strategy-ref="sas" />
</http>

<beans:bean id="authenticationSuccessHandler" class="com.everbridge.platform.setting.handler.extension.AuthenticationSuccessHandlerCustom">
    <beans:property name="targetUrl" value="/dashboard" />

</beans:bean>

<beans:bean id="sas"
            class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
    <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
    <beans:property name="maximumSessions" value="1" />
</beans:bean>

<beans:bean id="concurrencyFilter" class="com.everbridge.platform.security.extension.CustomConcurrentSessionFilter">
    <beans:property name="sessionRegistry" ref="sessionRegistry" />
    <beans:property name="expiredUrl" value="/login" />
    <beans:property name="logoutHandlers">
        <beans:list>
            <beans:bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"></beans:bean>
            <beans:bean class="com.everbridge.platform.security.extension.CustomLogoutHandler"></beans:bean>
        </beans:list>
    </beans:property>
</beans:bean>
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />


<beans:bean id="authenticationFailureHandler" class="com.everbridge.platform.setting.handler.extension.AuthenticationFailureHandlerCustom"/>


<beans:bean id="authenticationEntryPoint"
      class="com.everbridge.platform.security.extension.AjaxAwareAuthenticationEntryPoint">
    <beans:constructor-arg value="/login"/>
</beans:bean>

<beans:bean id="filterSecurityInterceptor"
    class="com.everbridge.platform.security.extension.FilterSecurityInterceptorCustom">
    <beans:property name="authenticationManager" ref="authenticationManagerCustom" />
    <beans:property name="accessDecisionManager" ref="accessDecisionManagerCustom" />
    <beans:property name="securityMetadataSource" ref="securityMetadataSourceCustom" />
</beans:bean>

<beans:bean id="afterLoginInterceptor"
    class="com.everbridge.platform.portal.filter.AfterLoginInterceptor">
    <beans:property name="accountService" ref="accountService" />
    <beans:property name="roleService" ref="roleService" />
    <beans:property name="userService" ref="userService" />
</beans:bean>

<beans:bean id="accessDecisionManagerCustom" class="com.everbridge.platform.security.extension.AccessDecisionManagerCustom"/>

<beans:bean id="securityMetadataSourceCustom" class="com.everbridge.platform.security.extension.InvocationSecurityMetadataSourceServiceCustom" init-method="loadResources">
    <beans:property name="operationService" ref="operationService"/>
    <beans:property name="permissionService" ref="permissionService"/>
    <beans:property name="resourceService" ref="resourceService"/>
    <beans:property name="roleService" ref="roleService"/>
    <beans:property name="featureService" ref="featureService"/>
</beans:bean>

<beans:bean id="accessDeniedHandlerCustom" class="com.everbridge.platform.security.extension.AccessDeniedHandlerCustom">
    <beans:property name="errorPage" value="/error401" />
</beans:bean>

<authentication-manager alias="authenticationManagerCustom"/>

Tony，首先需要定义用户将在其中进行身份验证的页面，因为URL/j_security_检查是Spring security将在其中检查验证的URL

尝试定义要进行身份验证的逻辑：

<security:form-login login-page="/login"  always-use-default-target="true" login-processing-url="/check"  default-target-url="/dashboard" authentication-failure-url="/login.jsp?login_error=1" />