Fatal编程技术网
  • java/
  • Java Spring安全用户身份验证不工作

Java Spring安全用户身份验证不工作

java spring spring-mvc authentication spring-security

Java Spring安全用户身份验证不工作,java,spring,spring-mvc,authentication,spring-security,Java,Spring,Spring Mvc,Authentication,Spring Security,我正在尝试使用spring安全性实现身份验证 我不知道我做错了什么 web.xml有一个安全过滤器: <!-- Spring Security --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</fil

我正在尝试使用spring安全性实现身份验证

我不知道我做错了什么

web.xml有一个安全过滤器:

<!-- Spring Security -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
当我登录时,用户会与匿名用户一起登录

身份验证不会被触发,因为我没有在UserSecurityService中获得断点。也不在处理请求的spring控制器中

有人能帮我吗

感谢您的帮助

谢谢,

不止一个细节似乎不正确

在配置中,在登录部分:

<form-login 
        login-page="/" 
        default-target-url="/"
        authentication-failure-url="/Access_Denied" 
        username-parameter="username"
        password-parameter="password" />
通过指定
login page=“/”
,这意味着用于执行身份验证的带有表单数据的POST请求必须指向
“/”
url,但您尝试在控制器中的
“/loginRequest”
处处理身份验证

第二,处理身份验证不是您必须在控制器中自己管理的事情,spring security会自动为您完成这项工作,只需将表单发布到配置中指定的url即可

更新

至于登录表单,您应该确保以下事项:

  • 表单的操作url与配置中的
    登录页面
    参数匹配,在本例中为
    “/”
  • 用户名输入字段的名称属性应与您案例中配置
    “username”
    中的
    用户名参数
    匹配
  • 密码输入字段的名称属性应与您案例中配置的
    “password”
    中的
    密码参数
    匹配
您还应该删除
modeldattribute=“logiuser”

有多个细节似乎不正确

在配置中,在登录部分:

<form-login 
        login-page="/" 
        default-target-url="/"
        authentication-failure-url="/Access_Denied" 
        username-parameter="username"
        password-parameter="password" />
通过指定
login page=“/”
,这意味着用于执行身份验证的带有表单数据的POST请求必须指向
“/”
url,但您尝试在控制器中的
“/loginRequest”
处处理身份验证

第二,处理身份验证不是您必须在控制器中自己管理的事情,spring security会自动为您完成这项工作,只需将表单发布到配置中指定的url即可

更新

至于登录表单,您应该确保以下事项:

  • 表单的操作url与配置中的
    登录页面
    参数匹配,在本例中为
    “/”
  • 用户名输入字段的名称属性应与您案例中配置
    “username”
    中的
    用户名参数
    匹配
  • 密码输入字段的名称属性应与您案例中配置的
    “password”
    中的
    密码参数
    匹配
您还应该删除您的登录表单是什么样子的?你有吗

(百里香)
(jsp)
其中一个?您可以显示您的视图吗?

您的登录表单是什么样子的?你有吗

(百里香)
(jsp)
其中一个?你能显示你的视图吗?

@JacekWcislo,@saljuama我有一个
登录页面=“/”
,因为我的默认登录页面是登录页面。 我添加作为一个答案,因为我想显示更新的代码

在阅读了提供的建议和链接后,我更新了我的安全xml,如下所示:

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-4.0.xsd">

    <!-- enable use-expressions -->
    <http auto-config="true" use-expressions="true" entry-point-ref="authenticationEntryPoint">
        <intercept-url pattern="/" access="permitAll" />
        <intercept-url pattern="/logout**" access="permitAll" />

        <!-- Incoming Product -->
        <intercept-url pattern="/incomingProduct**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />

        <!-- Maintanence pages -->
        <intercept-url pattern="/depotUser**" access="hasRole('Administrator') and hasRole('Local_Administrator')" />
        <intercept-url pattern="/product**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
        <intercept-url pattern="/productOwner**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
        <intercept-url pattern="/storageTank**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />

        <intercept-url pattern="/admin**" access="hasRole('Administrator')" />

        <!-- access denied page -->
        <access-denied-handler error-page="/error/403" />
        <form-login 
            login-page="/"
            default-target-url="/homePage"
            authentication-failure-url="/loginPage?invalidLogin=Yes" 
            username-parameter="username"
            password-parameter="password"  

            />
        <logout logout-success-url="/logout" />
        <!-- enable csrf protection -->
        <csrf />

        <custom-filter before="FORM_LOGIN_FILTER" ref="authenticationFilter"/>
    </http>

    <beans:bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
        <beans:property name="authenticationManager" ref="authenticationManager" />
    </beans:bean> 

    <beans:bean id="authenticationEntryPoint" class= "org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <beans:constructor-arg value="/j_spring_security_check"/>
    </beans:bean> 

    <authentication-manager alias="authenticationManager">
        <authentication-provider user-service-ref="userSecurityService" />
    </authentication-manager>

    <beans:bean id="userSecurityService" class="com.tms.securityServices.UserSecurityService" >
        <beans:property name="depotUserDao" ref="depotUserDao" />
    </beans:bean> 

</beans:beans>
我的任何登录jsp都是

<form id="loginForm" method="post" modelAttribute="loginUser" action="<c:url value='j_spring_security_check' />">
它给了我一个404错误。我假设我必须映射spring安全url

我把它放在口袋里了

authenticationEntryPoint

还有其他地方需要我映射吗?

@JacekWcislo,@saljuama我有一个
登录页面=“/”
,因为我的默认登录页面是登录页面。 我添加作为一个答案,因为我想显示更新的代码

在阅读了提供的建议和链接后,我更新了我的安全xml,如下所示:

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-4.0.xsd">

    <!-- enable use-expressions -->
    <http auto-config="true" use-expressions="true" entry-point-ref="authenticationEntryPoint">
        <intercept-url pattern="/" access="permitAll" />
        <intercept-url pattern="/logout**" access="permitAll" />

        <!-- Incoming Product -->
        <intercept-url pattern="/incomingProduct**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />

        <!-- Maintanence pages -->
        <intercept-url pattern="/depotUser**" access="hasRole('Administrator') and hasRole('Local_Administrator')" />
        <intercept-url pattern="/product**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
        <intercept-url pattern="/productOwner**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
        <intercept-url pattern="/storageTank**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />

        <intercept-url pattern="/admin**" access="hasRole('Administrator')" />

        <!-- access denied page -->
        <access-denied-handler error-page="/error/403" />
        <form-login 
            login-page="/"
            default-target-url="/homePage"
            authentication-failure-url="/loginPage?invalidLogin=Yes" 
            username-parameter="username"
            password-parameter="password"  

            />
        <logout logout-success-url="/logout" />
        <!-- enable csrf protection -->
        <csrf />

        <custom-filter before="FORM_LOGIN_FILTER" ref="authenticationFilter"/>
    </http>

    <beans:bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
        <beans:property name="authenticationManager" ref="authenticationManager" />
    </beans:bean> 

    <beans:bean id="authenticationEntryPoint" class= "org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <beans:constructor-arg value="/j_spring_security_check"/>
    </beans:bean> 

    <authentication-manager alias="authenticationManager">
        <authentication-provider user-service-ref="userSecurityService" />
    </authentication-manager>

    <beans:bean id="userSecurityService" class="com.tms.securityServices.UserSecurityService" >
        <beans:property name="depotUserDao" ref="depotUserDao" />
    </beans:bean> 

</beans:beans>
我的任何登录jsp都是

<form id="loginForm" method="post" modelAttribute="loginUser" action="<c:url value='j_spring_security_check' />">
它给了我一个404错误。我假设我必须映射spring安全url

我把它放在口袋里了

authenticationEntryPoint

还有其他地方需要映射吗?

我通过添加适当的过滤器、入口点和处理程序来解决这个问题

代码:

<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true" entry-point-ref="authenticationEntryPoint">

    <!-- Dashboard & resources -->
    <intercept-url pattern="/" access="permitAll" />
    <intercept-url pattern="/loginRequest**" access="permitAll" />
    <intercept-url pattern="/logout**" access="permitAll" />
    <intercept-url pattern="/dashboard**" access="permitAll" />
    <intercept-url pattern="/**/resources**" access="permitAll" />

    <!-- Incoming Product -->
    <intercept-url pattern="/incomingProduct**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />

    <!-- Maintanence pages -->
    <intercept-url pattern="/depotUser**" access="hasRole('Administrator') and hasRole('Local_Administrator')" />
    <intercept-url pattern="/product**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
    <intercept-url pattern="/productOwner**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
    <intercept-url pattern="/storageTank**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />

    <intercept-url pattern="/admin**" access="hasRole('Administrator')" />

    <!-- access denied page -->
    <access-denied-handler error-page="/error/403" />
    <form-login 
        login-page="/"
        login-processing-url="/loginRequest"
        default-target-url="/dashboard/home"
        authentication-failure-url="/loginPage?invalidLogin=Yes" 
        username-parameter="username"
        password-parameter="password"  
        />
    <logout logout-success-url="/logout" />
    <!-- enable csrf protection -->
    <csrf />

    <custom-filter before="FORM_LOGIN_FILTER" ref="authenticationFilter"/>
</http>

<beans:bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
    <beans:property name="authenticationManager" ref="authenticationManager" />
    <beans:property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
</beans:bean> 

<beans:bean id="authenticationEntryPoint" class= "org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <beans:constructor-arg value="/loginRequest"/>
</beans:bean> 

<beans:bean id="authenticationSuccessHandler"
    class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
    <beans:property name="defaultTargetUrl" value="/dashboard/home" />
</beans:bean>

<authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="userSecurityService" />
</authentication-manager>
我可以通过添加适当的过滤器、入口点和处理程序来解决这个问题

代码:

<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true" entry-point-ref="authenticationEntryPoint">

    <!-- Dashboard & resources -->
    <intercept-url pattern="/" access="permitAll" />
    <intercept-url pattern="/loginRequest**" access="permitAll" />
    <intercept-url pattern="/logout**" access="permitAll" />
    <intercept-url pattern="/dashboard**" access="permitAll" />
    <intercept-url pattern="/**/resources**" access="permitAll" />

    <!-- Incoming Product -->
    <intercept-url pattern="/incomingProduct**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />

    <!-- Maintanence pages -->
    <intercept-url pattern="/depotUser**" access="hasRole('Administrator') and hasRole('Local_Administrator')" />
    <intercept-url pattern="/product**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
    <intercept-url pattern="/productOwner**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
    <intercept-url pattern="/storageTank**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />

    <intercept-url pattern="/admin**" access="hasRole('Administrator')" />

    <!-- access denied page -->
    <access-denied-handler error-page="/error/403" />
    <form-login 
        login-page="/"
        login-processing-url="/loginRequest"
        default-target-url="/dashboard/home"
        authentication-failure-url="/loginPage?invalidLogin=Yes" 
        username-parameter="username"
        password-parameter="password"  
        />
    <logout logout-success-url="/logout" />
    <!-- enable csrf protection -->
    <csrf />

    <custom-filter before="FORM_LOGIN_FILTER" ref="authenticationFilter"/>
</http>

<beans:bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
    <beans:property name="authenticationManager" ref="authenticationManager" />
    <beans:property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
</beans:bean> 

<beans:bean id="authenticationEntryPoint" class= "org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <beans:constructor-arg value="/loginRequest"/>
</beans:bean> 

<beans:bean id="authenticationSuccessHandler"
    class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
    <beans:property name="defaultTargetUrl" value="/dashboard/home" />
</beans:bean>

<authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="userSecurityService" />
</authentication-manager>
在Spring security中,如果要使用method=RequestMethod.POST,必须禁用csrf
。因为数据将被编码。 例如:

在Spring security中,如果要使用method=RequestMethod.POST,必须禁用csrf
。因为数据将被编码。 例如:



<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true" entry-point-ref="authenticationEntryPoint">

    <!-- Dashboard & resources -->
    <intercept-url pattern="/" access="permitAll" />
    <intercept-url pattern="/loginRequest**" access="permitAll" />
    <intercept-url pattern="/logout**" access="permitAll" />
    <intercept-url pattern="/dashboard**" access="permitAll" />
    <intercept-url pattern="/**/resources**" access="permitAll" />

    <!-- Incoming Product -->
    <intercept-url pattern="/incomingProduct**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />

    <!-- Maintanence pages -->
    <intercept-url pattern="/depotUser**" access="hasRole('Administrator') and hasRole('Local_Administrator')" />
    <intercept-url pattern="/product**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
    <intercept-url pattern="/productOwner**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
    <intercept-url pattern="/storageTank**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />

    <intercept-url pattern="/admin**" access="hasRole('Administrator')" />

    <!-- access denied page -->
    <access-denied-handler error-page="/error/403" />
    <form-login 
        login-page="/"
        login-processing-url="/loginRequest"
        default-target-url="/dashboard/home"
        authentication-failure-url="/loginPage?invalidLogin=Yes" 
        username-parameter="username"
        password-parameter="password"  
        />
    <logout logout-success-url="/logout" />
    <!-- enable csrf protection -->
    <csrf />

    <custom-filter before="FORM_LOGIN_FILTER" ref="authenticationFilter"/>
</http>

<beans:bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
    <beans:property name="authenticationManager" ref="authenticationManager" />
    <beans:property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
</beans:bean> 

<beans:bean id="authenticationEntryPoint" class= "org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <beans:constructor-arg value="/loginRequest"/>
</beans:bean> 

<beans:bean id="authenticationSuccessHandler"
    class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
    <beans:property name="defaultTargetUrl" value="/dashboard/home" />
</beans:bean>

<authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="userSecurityService" />
</authentication-manager>



<http auto-config="true">
    <intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
    
    <form-login login-page="/login"
        login-processing-url="/j_spring_security_login"
        default-target-url="/process-after-login" authentication-failure-url="/login?error"
        username-parameter="email" password-parameter="password" />

    <logout logout-url="/j_spring_security_logout"
        logout-success-url="/logout" delete-cookies="JSESSIONID" />
    <csrf disabled="true"/>
</http>

<authentication-manager>
    <authentication-provider user-service-ref="clientService">
        <password-encoder hash="bcrypt" />
    </authentication-provider>
</authentication-manager>