Spring mvc failureUrl和failureForwardUrl不工作
失败的登录尝试显示登录页面(.loginPage(“/signin”)),而不是.failureUrl(“/signin error”)Spring mvc failureUrl和failureForwardUrl不工作,spring-mvc,spring-security,Spring Mvc,Spring Security,失败的登录尝试显示登录页面(.loginPage(“/signin”)),而不是.failureUrl(“/signin error”) 当应用程序启动时,显示一个空页面(带有单词$END$),而不是登录页面(“/signin”) 春季安全4 @Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
@Qualifier("jpaAccountService")
private AccountService accountService;
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userDetailsService())
.passwordEncoder(passwordEncoder());
}
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/resources/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().requireCsrfProtectionMatcher(new DefaultRequiresCsrfMatcher())
.and()
.formLogin()
.usernameParameter("username")
.passwordParameter("password")
.loginPage("/signin")
.loginProcessingUrl("/authenticate")
.failureUrl("/signin-error")
.defaultSuccessUrl("/secure")
.permitAll()
.and()
.apply(new SpringSocialConfigurer())
.and()
.logout()
.logoutUrl("/signout")
.deleteCookies("JSESSIONID")
.logoutSuccessUrl("/signin")
.and()
.rememberMe()
.and()
.authorizeRequests()
.antMatchers("/resources/**","/register").permitAll()
.anyRequest().authenticated()
.and()
.sessionManagement()
.invalidSessionUrl("/")
.maximumSessions(1);
}
private static final class DefaultRequiresCsrfMatcher implements RequestMatcher {
private Pattern allowedMethods = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$");
private RegexRequestMatcher unprotectedMatcher = new RegexRequestMatcher("/connect/yahoo", null);
/* (non-Javadoc)
* @see org.springframework.security.web.util.matcher.RequestMatcher#matches(javax.servlet.http.HttpServletRequest)
*/
@Override
public boolean matches(HttpServletRequest request) {
if(allowedMethods.matcher(request.getMethod()).matches()){
return false;
}
return !unprotectedMatcher.matches(request);
}
}
@Bean(name = "authenticationManager")
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean(name="userDetailsService")
@Override
public UserDetailsService userDetailsService() {
return new RepositoryUserDetailsService(accountService);
}
@Bean
public SocialUserDetailsService socialUsersDetailService() {
return new SimpleSocialUsersDetailService(userDetailsService());
}
@Bean
public UserIdSource userIdSource() {
return new AuthenticationNameUserIdSource();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder(10);
}
@Bean
public TextEncryptor textEncryptor() {
return Encryptors.noOpText();
}
}
@RequestMapping(value = "/signin")
public String signin(Model uiModel){
uiModel.addAttribute("signupForm", new RegistrationForm());
return "signin";
}
@RequestMapping("/signin-error")
public String loginError(Model model) {
model.addAttribute("loginError", true);
uiModel.addAttribute("signupForm", new RegistrationForm());
return "signin";
}
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:th="http://www.thymeleaf.org"
xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">
<div sec:authorize="hasRole('ROLE_USER')">
<h1>Logged In</h1>
</div>
<div sec:authorize="isAnonymous()">
<p th:if="${loginError}" class="error">Wrong user or password</p>
<div id="login">
<form name="loginForm" th:action="@{/authenticate}" method="post">
<table>
<caption align="left">Login:</caption>
<tr>
<td>Email Address:</td>
<td><input type="text" name="username" value=""/></td>
</tr>
<tr>
<td>Password:</td>
<td><input type="password" name="password" value="" /></td>
</tr>
<tr>
<td colspan="2" align="center"><input name="submit" type="submit" value="Login"/></td>
</tr>
</table>
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</div>
</div>
</html>
登录
错误的用户或密码
登录:
电邮地址:
密码:
@Configuration
@EnableWebSecurity
public class FormLoginSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin()
.usernameParameter("username") // default is username
.passwordParameter("password") // default is password
.loginPage("/authentication/login") // default is /login with an HTTP get
.failureUrl("/authentication/login?failed") // default is /login?error
.loginProcessingUrl("/authentication/login/process"); // default is /login
// with an HTTP
// post
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}
尝试将授权请求放在formLogin之前 为了实现这一点: 当应用程序启动时,显示一个空页面,而不是登录页面 (“/签名”) 首先,覆盖此方法:
public void configure(WebSecurity web)
throws Exception
忽略()webSecurityBuilder.ignoring()
// ignore all URLs that start with /resources/ or /static/
.antMatchers("/resources/**", "/static/**");
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/");
}
@RequestMapping(value = "/")
public String signin(Model uiModel){
uiModel.addAttribute("signupForm", new RegistrationForm());
return "signin";
}
来自Spring文档:
@Configuration
@EnableWebSecurity
public class FormLoginSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin()
.usernameParameter("username") // default is username
.passwordParameter("password") // default is password
.loginPage("/authentication/login") // default is /login with an HTTP get
.failureUrl("/authentication/login?failed") // default is /login?error
.loginProcessingUrl("/authentication/login/process"); // default is /login
// with an HTTP
// post
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}
尝试将授权请求放在formLogin之前 为了实现这一点: 当应用程序启动时,显示一个空页面,而不是登录页面 (“/签名”) 首先,覆盖此方法:
public void configure(WebSecurity web)
throws Exception
忽略()webSecurityBuilder.ignoring()
// ignore all URLs that start with /resources/ or /static/
.antMatchers("/resources/**", "/static/**");
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/");
}
@RequestMapping(value = "/")
public String signin(Model uiModel){
uiModel.addAttribute("signupForm", new RegistrationForm());
return "signin";
}
尝试使用failureForwardUrl而不是FailureUrl我也尝试过。尝试将authorizeRequests放在wroks的FormLogin之前。第2条?我不确定我是否理解,如果你在formLogin之前放置authorizeRequests,它是否有效?尝试使用failureForwardUrl而不是FailureUrl我也尝试过。尝试将authorizeRequests放置在formLogin之前。2号?我不确定我是否理解,如果你在formLogin之前放置授权请求,它会工作吗?