Java Spring安全用户身份验证不工作
我正在尝试使用spring安全性实现身份验证 我不知道我做错了什么 web.xml有一个安全过滤器:Java Spring安全用户身份验证不工作,java,spring,spring-mvc,authentication,spring-security,Java,Spring,Spring Mvc,Authentication,Spring Security,我正在尝试使用spring安全性实现身份验证 我不知道我做错了什么 web.xml有一个安全过滤器: <!-- Spring Security --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</fil
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
当我登录时,用户会与匿名用户一起登录
身份验证不会被触发,因为我没有在UserSecurityService中获得断点。也不在处理请求的spring控制器中
有人能帮我吗
感谢您的帮助
谢谢,不止一个细节似乎不正确 在配置中,在登录部分:
<form-login
login-page="/"
default-target-url="/"
authentication-failure-url="/Access_Denied"
username-parameter="username"
password-parameter="password" />
通过指定login page=“/”
,这意味着用于执行身份验证的带有表单数据的POST请求必须指向“/”
url,但您尝试在控制器中的“/loginRequest”
处处理身份验证
第二,处理身份验证不是您必须在控制器中自己管理的事情,spring security会自动为您完成这项工作,只需将表单发布到配置中指定的url即可
更新:
至于登录表单,您应该确保以下事项:
- 表单的操作url与配置中的
参数匹配,在本例中为登录页面
“/”
- 用户名输入字段的名称属性应与您案例中配置
中的“username”
匹配用户名参数
- 密码输入字段的名称属性应与您案例中配置的
中的“password”
匹配密码参数
您还应该删除
modeldattribute=“logiuser”
有多个细节似乎不正确
在配置中,在登录部分:
<form-login
login-page="/"
default-target-url="/"
authentication-failure-url="/Access_Denied"
username-parameter="username"
password-parameter="password" />
通过指定login page=“/”
,这意味着用于执行身份验证的带有表单数据的POST请求必须指向“/”
url,但您尝试在控制器中的“/loginRequest”
处处理身份验证
第二,处理身份验证不是您必须在控制器中自己管理的事情,spring security会自动为您完成这项工作,只需将表单发布到配置中指定的url即可
更新:
至于登录表单,您应该确保以下事项:
- 表单的操作url与配置中的
参数匹配,在本例中为登录页面
“/”
- 用户名输入字段的名称属性应与您案例中配置
中的“username”
匹配用户名参数
- 密码输入字段的名称属性应与您案例中配置的
中的“password”
匹配密码参数
您还应该删除您的登录表单是什么样子的?你有吗 (百里香)
(jsp)
其中一个?您可以显示您的视图吗?您的登录表单是什么样子的?你有吗 (百里香)
(jsp)
其中一个?你能显示你的视图吗?@JacekWcislo,@saljuama我有一个
登录页面=“/”
,因为我的默认登录页面是登录页面。
我添加作为一个答案,因为我想显示更新的代码
在阅读了提供的建议和链接后,我更新了我的安全xml,如下所示:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true" entry-point-ref="authenticationEntryPoint">
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/logout**" access="permitAll" />
<!-- Incoming Product -->
<intercept-url pattern="/incomingProduct**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<!-- Maintanence pages -->
<intercept-url pattern="/depotUser**" access="hasRole('Administrator') and hasRole('Local_Administrator')" />
<intercept-url pattern="/product**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<intercept-url pattern="/productOwner**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<intercept-url pattern="/storageTank**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<intercept-url pattern="/admin**" access="hasRole('Administrator')" />
<!-- access denied page -->
<access-denied-handler error-page="/error/403" />
<form-login
login-page="/"
default-target-url="/homePage"
authentication-failure-url="/loginPage?invalidLogin=Yes"
username-parameter="username"
password-parameter="password"
/>
<logout logout-success-url="/logout" />
<!-- enable csrf protection -->
<csrf />
<custom-filter before="FORM_LOGIN_FILTER" ref="authenticationFilter"/>
</http>
<beans:bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<beans:bean id="authenticationEntryPoint" class= "org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:constructor-arg value="/j_spring_security_check"/>
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userSecurityService" />
</authentication-manager>
<beans:bean id="userSecurityService" class="com.tms.securityServices.UserSecurityService" >
<beans:property name="depotUserDao" ref="depotUserDao" />
</beans:bean>
</beans:beans>
我的任何登录jsp都是
<form id="loginForm" method="post" modelAttribute="loginUser" action="<c:url value='j_spring_security_check' />">
它给了我一个404错误。我假设我必须映射spring安全url
我把它放在口袋里了
authenticationEntryPoint
还有其他地方需要我映射吗?@JacekWcislo,@saljuama我有一个
登录页面=“/”
,因为我的默认登录页面是登录页面。
我添加作为一个答案,因为我想显示更新的代码
在阅读了提供的建议和链接后,我更新了我的安全xml,如下所示:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true" entry-point-ref="authenticationEntryPoint">
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/logout**" access="permitAll" />
<!-- Incoming Product -->
<intercept-url pattern="/incomingProduct**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<!-- Maintanence pages -->
<intercept-url pattern="/depotUser**" access="hasRole('Administrator') and hasRole('Local_Administrator')" />
<intercept-url pattern="/product**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<intercept-url pattern="/productOwner**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<intercept-url pattern="/storageTank**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<intercept-url pattern="/admin**" access="hasRole('Administrator')" />
<!-- access denied page -->
<access-denied-handler error-page="/error/403" />
<form-login
login-page="/"
default-target-url="/homePage"
authentication-failure-url="/loginPage?invalidLogin=Yes"
username-parameter="username"
password-parameter="password"
/>
<logout logout-success-url="/logout" />
<!-- enable csrf protection -->
<csrf />
<custom-filter before="FORM_LOGIN_FILTER" ref="authenticationFilter"/>
</http>
<beans:bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<beans:bean id="authenticationEntryPoint" class= "org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:constructor-arg value="/j_spring_security_check"/>
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userSecurityService" />
</authentication-manager>
<beans:bean id="userSecurityService" class="com.tms.securityServices.UserSecurityService" >
<beans:property name="depotUserDao" ref="depotUserDao" />
</beans:bean>
</beans:beans>
我的任何登录jsp都是
<form id="loginForm" method="post" modelAttribute="loginUser" action="<c:url value='j_spring_security_check' />">
它给了我一个404错误。我假设我必须映射spring安全url
我把它放在口袋里了
authenticationEntryPoint
还有其他地方需要映射吗?我通过添加适当的过滤器、入口点和处理程序来解决这个问题 代码:
<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true" entry-point-ref="authenticationEntryPoint">
<!-- Dashboard & resources -->
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/loginRequest**" access="permitAll" />
<intercept-url pattern="/logout**" access="permitAll" />
<intercept-url pattern="/dashboard**" access="permitAll" />
<intercept-url pattern="/**/resources**" access="permitAll" />
<!-- Incoming Product -->
<intercept-url pattern="/incomingProduct**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<!-- Maintanence pages -->
<intercept-url pattern="/depotUser**" access="hasRole('Administrator') and hasRole('Local_Administrator')" />
<intercept-url pattern="/product**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<intercept-url pattern="/productOwner**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<intercept-url pattern="/storageTank**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<intercept-url pattern="/admin**" access="hasRole('Administrator')" />
<!-- access denied page -->
<access-denied-handler error-page="/error/403" />
<form-login
login-page="/"
login-processing-url="/loginRequest"
default-target-url="/dashboard/home"
authentication-failure-url="/loginPage?invalidLogin=Yes"
username-parameter="username"
password-parameter="password"
/>
<logout logout-success-url="/logout" />
<!-- enable csrf protection -->
<csrf />
<custom-filter before="FORM_LOGIN_FILTER" ref="authenticationFilter"/>
</http>
<beans:bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
</beans:bean>
<beans:bean id="authenticationEntryPoint" class= "org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:constructor-arg value="/loginRequest"/>
</beans:bean>
<beans:bean id="authenticationSuccessHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/dashboard/home" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userSecurityService" />
</authentication-manager>
我可以通过添加适当的过滤器、入口点和处理程序来解决这个问题 代码:
<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true" entry-point-ref="authenticationEntryPoint">
<!-- Dashboard & resources -->
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/loginRequest**" access="permitAll" />
<intercept-url pattern="/logout**" access="permitAll" />
<intercept-url pattern="/dashboard**" access="permitAll" />
<intercept-url pattern="/**/resources**" access="permitAll" />
<!-- Incoming Product -->
<intercept-url pattern="/incomingProduct**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<!-- Maintanence pages -->
<intercept-url pattern="/depotUser**" access="hasRole('Administrator') and hasRole('Local_Administrator')" />
<intercept-url pattern="/product**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<intercept-url pattern="/productOwner**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<intercept-url pattern="/storageTank**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<intercept-url pattern="/admin**" access="hasRole('Administrator')" />
<!-- access denied page -->
<access-denied-handler error-page="/error/403" />
<form-login
login-page="/"
login-processing-url="/loginRequest"
default-target-url="/dashboard/home"
authentication-failure-url="/loginPage?invalidLogin=Yes"
username-parameter="username"
password-parameter="password"
/>
<logout logout-success-url="/logout" />
<!-- enable csrf protection -->
<csrf />
<custom-filter before="FORM_LOGIN_FILTER" ref="authenticationFilter"/>
</http>
<beans:bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
</beans:bean>
<beans:bean id="authenticationEntryPoint" class= "org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:constructor-arg value="/loginRequest"/>
</beans:bean>
<beans:bean id="authenticationSuccessHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/dashboard/home" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userSecurityService" />
</authentication-manager>
在Spring security中,如果要使用method=RequestMethod.POST,必须禁用csrf
。因为数据将被编码。
例如:
在Spring security中,如果要使用method=RequestMethod.POST,必须禁用csrf
。因为数据将被编码。
例如:
<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true" entry-point-ref="authenticationEntryPoint">
<!-- Dashboard & resources -->
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/loginRequest**" access="permitAll" />
<intercept-url pattern="/logout**" access="permitAll" />
<intercept-url pattern="/dashboard**" access="permitAll" />
<intercept-url pattern="/**/resources**" access="permitAll" />
<!-- Incoming Product -->
<intercept-url pattern="/incomingProduct**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<!-- Maintanence pages -->
<intercept-url pattern="/depotUser**" access="hasRole('Administrator') and hasRole('Local_Administrator')" />
<intercept-url pattern="/product**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<intercept-url pattern="/productOwner**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<intercept-url pattern="/storageTank**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<intercept-url pattern="/admin**" access="hasRole('Administrator')" />
<!-- access denied page -->
<access-denied-handler error-page="/error/403" />
<form-login
login-page="/"
login-processing-url="/loginRequest"
default-target-url="/dashboard/home"
authentication-failure-url="/loginPage?invalidLogin=Yes"
username-parameter="username"
password-parameter="password"
/>
<logout logout-success-url="/logout" />
<!-- enable csrf protection -->
<csrf />
<custom-filter before="FORM_LOGIN_FILTER" ref="authenticationFilter"/>
</http>
<beans:bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
</beans:bean>
<beans:bean id="authenticationEntryPoint" class= "org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:constructor-arg value="/loginRequest"/>
</beans:bean>
<beans:bean id="authenticationSuccessHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/dashboard/home" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userSecurityService" />
</authentication-manager>
<http auto-config="true">
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
<form-login login-page="/login"
login-processing-url="/j_spring_security_login"
default-target-url="/process-after-login" authentication-failure-url="/login?error"
username-parameter="email" password-parameter="password" />
<logout logout-url="/j_spring_security_logout"
logout-success-url="/logout" delete-cookies="JSESSIONID" />
<csrf disabled="true"/>
</http>
<authentication-manager>
<authentication-provider user-service-ref="clientService">
<password-encoder hash="bcrypt" />
</authentication-provider>
</authentication-manager>