Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/java/332.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Java Spring Security不限制访问_Java_Spring Mvc_Spring Security - Fatal编程技术网
Fatal编程技术网
  • java/
  • Java Spring Security不限制访问

Java Spring Security不限制访问

java spring-mvc spring-security

Java Spring Security不限制访问,java,spring-mvc,spring-security,Java,Spring Mvc,Spring Security,我是Spring Security的新手,遇到了一个问题。当我试图访问一个预期会受到限制的页面时,它仍然显示请求的页面,没有403,也没有重定向到登录页面,日志中没有错误,什么都没有,就好像根本没有实现Spring安全一样 部署应用程序时,我在日志中看到以下内容,告诉我Spring Security至少正在启动: INFO: Checking whether login URL '/security/credentials' is accessible with your configurati

我是Spring Security的新手,遇到了一个问题。当我试图访问一个预期会受到限制的页面时,它仍然显示请求的页面,没有403,也没有重定向到登录页面,日志中没有错误,什么都没有,就好像根本没有实现Spring安全一样

部署应用程序时,我在日志中看到以下内容,告诉我Spring Security至少正在启动:

INFO: Checking whether login URL '/security/credentials' is accessible with your configuration
我已经尝试将登录页面更改为受限页面,只是为了测试它实际上是受限的,我得到了以下信息,这告诉我它被正确地限制了,至少在模拟中是这样

INFO: Checking whether login URL '/dashboard' is accessible with your configuration

org.springframework.security.config.http.DefaultFilterChainValidator checkLoginPageIsntProtected
WARNING: Anonymous access to the login page doesn't appear to be enabled. This is almost certainly an error. Please check your configuration allows unauthenticated access to the configured login page. (Simulated access was rejected: org.springframework.security.access.AccessDeniedException: Access is denied)
我有以下设置:

web.xml 


index.html
javax.servlet.jsp.jstl.fmt.localizationContext
信息
上下文配置位置
WEB-INF/applicationContext.xml
org.springframework.web.context.ContextLoaderListener
URL重写过滤器
org.tuckey.web.filters.urlrewrite.UrlRewriteFilter
对数电平
痕迹
URL重写过滤器
/*
要求
springSecurityFilterChain
org.springframework.web.filter.DelegatingFilterProxy
springSecurityFilterChain
/*
春天
org.springframework.web.servlet.DispatcherServlet
上下文配置位置
/WEB-INF/applicationContext.xml
1.
春天
/应用程序/*
Spring安全配置文件是从my applicationContext.xml导入的

spring-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
   xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="
      http://www.springframework.org/schema/beans
      http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
      http://www.springframework.org/schema/security
      http://www.springframework.org/schema/security/spring-security-3.1.xsd">

   <http auto-config="true" use-expressions="true">
      <form-login 
         login-page="/security/credentials"
         login-processing-url="/security/signin" 
         default-target-url="/dashboard"
         authentication-failure-url="/security/signin_failed" />
      <intercept-url pattern="/resources/**" access="permitAll"/>
      <intercept-url pattern="/security/**" access="permitAll" />
      <intercept-url pattern="/favicon.ico" access="permitAll"/>
      <intercept-url pattern="/**" access="denyAll"/>
      <logout logout-success-url="/security/signout" />
      <remember-me />
   </http>

   <authentication-manager alias="authenticationManager">
      <authentication-provider>
         <user-service>
            <user name="test" password="password" authorities="ROLE_USER" />
         </user-service>
      </authentication-provider>
   </authentication-manager>
</beans:beans>
Spring的行为正确,因为您实际上告诉Spring
/security/**
请求不需要身份验证(
access=“permitAll”
):

请注意,与登录相关的URL不能受到限制(原因很明显):

login-page="/security/credentials"
     login-processing-url="/security/signin" 
     default-target-url="/dashboard"
     authentication-failure-url="/security/signin_failed" />
因此,要么将它们改为以类似
/login/
的内容开头,而不是以
/security/
开头,要么为它们添加特定的拦截URL(如果必须使用它们):

。。。
...
更具体的URL应该首先声明,因为Spring使用它从顶部找到的第一条规则。

我建议先删除
标记,或者删除所有cookie后再尝试。 它出现是因为您可以访问现有cookie/仪表板

编辑:
您在spring security之前配置了UrlRewriteFilter,请检查提供给spring security filter的最终url,或者您可以在禁用UrlRewriteFilter后重试?

您可以提供您尝试访问的受限页面的完整url吗?我尝试访问的页面的完整url为mydomain/Dashboard是正确的/应允许使用安全性/**选项。我遇到的问题是对/仪表板的请求被允许,而这些请求应该被拒绝。我如上所述配置了我的应用程序,它在登录和注销时都可以正常工作,当我使用“后退”按钮时,它会失败,如在我登录后,如果单击浏览器的“后退”按钮,它会将我带到登录屏幕,注销后的行为也一样。有什么解决办法吗?我从未登录过,但我已经清除了cookies,它仍然有同样的问题。此外,我还有denyAll访问集,即使我已登录,该访问集也应阻止访问。您在sprng安全之前配置了URLRewiteFilter,您能否检查提供给spring安全筛选器的最终url是什么,或者您可以在禁用URLEwriteFilter后尝试?我刚刚切换了筛选器的顺序,现在它工作正常。我不知道如何将这一评论标记为答案。 
...
<intercept-url pattern="/security/**" access="permitAll" />
...

...
<intercept-url pattern="/security/**" access="isAuthenticated()" />
...

...
<intercept-url pattern="/security/**" access="hasRole('ROLE_XXX')" />
...

login-page="/security/credentials"
     login-processing-url="/security/signin" 
     default-target-url="/dashboard"
     authentication-failure-url="/security/signin_failed" />

...
<intercept-url pattern="/security/credentials" access="permitAll" />
<intercept-url pattern="/security/signin" access="permitAll" />
<intercept-url pattern="/security/signin_failed" access="permitAll" />
<intercept-url pattern="/security/**" access="isAuthenticated()" />
...