Spring Security通过提供拒绝访问异常,在成功身份验证后重定向到登录页面
面临奇怪的问题:应用程序在HTTP上工作正常,但在添加SLL证书后再次重定向到登录页面: 下面是spring-security.xml中的代码片段Spring Security通过提供拒绝访问异常,在成功身份验证后重定向到登录页面,spring,ssl,https,spring-security,access-denied,Spring,Ssl,Https,Spring Security,Access Denied,面临奇怪的问题:应用程序在HTTP上工作正常,但在添加SLL证书后再次重定向到登录页面: 下面是spring-security.xml中的代码片段 <security:http auto-config="false" use-expressions="true" access-denied-page="/pages/denied.rs" entry-point-ref="authenticationEntryPoint" disable-url-rewriting="true"&g
<security:http auto-config="false" use-expressions="true" access-denied-page="/pages/denied.rs" entry-point-ref="authenticationEntryPoint" disable-url-rewriting="true">
<security:intercept-url pattern="/pages/doLogin.rs" requires-channel="any" access="hasAnyRole('ROLE_SYSTEM_ADMINISTRATOR', 'ROLE_KEY_ACCOUNT_MANAGER', 'ROLE_A', 'ROLE_B'" />
<security:intercept-url pattern="/**" requires-channel="any" access="hasAnyRole('ROLE_SYSTEM_ADMINISTRATOR', 'ROLE_KEY_ACCOUNT_MANAGER', 'ROLE_A', 'ROLE_B')"/>
<security:logout invalidate-session="true" logout-success-url="/pages/login.rs"/>
<security:custom-filter after="FILTER_SECURITY_INTERCEPTOR" ref="applicationRequestFilter" />
<security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER" />
<security:custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER"/>
<security:session-management session-authentication-strategy-ref="sas" invalid-session-url="/pages/sessiontimeout.rs"/>
</security:http>
<bean id="authenticationFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
p:authenticationManager-ref="customAuthenticationManager"
p:authenticationFailureHandler-ref="customAuthenticationFailureHandler"
p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler" />
<bean id="customAuthenticationSuccessHandler"
class="com.mycomapny.CustomAuthenticationSuccessHandler"
p:defaultTargetUrl="/pages/doLogin.rs" />
<bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
p:loginFormUrl="/pages/login.rs" />
我们在响应中使用cookie头作为httpOnly;稳妥
我尝试添加requires channel=“https”,但也没有成功。问题已得到解决:我在响应中手动设置了以下标题以避免安全缺陷…因此,我获得了拒绝访问异常 我删除了下面的代码并添加了ApacheLavel,它工作得很好
String sessionid = request.getSession(true).getId();
resp.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid
+ "; Secure; HttpOnly");
resp.setHeader("Expires", "Tue, 14 May 1985 00:00:00 GMT");
resp.setHeader("Last-Modified", new Date().toString());
resp.setHeader(
"Cache-Control",
"no-store, no-cache, no-store, must-revalidate, max-age=0, post-check=0, pre-check=0");
resp.setHeader("Pragma", "no-cache");
resp.addHeader("X-FRAME-OPTIONS", "SAMEORIGIN");
resp.addHeader("strict-transport-security", "max-age=631138519");
resp.addHeader("x-xss-protection", "1; mode=block");
问题解决了:我在响应中手动设置了下面的标题以避免安全缺陷…因此,我得到了拒绝访问的异常 我删除了下面的代码并添加了ApacheLavel,它工作得很好
String sessionid = request.getSession(true).getId();
resp.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid
+ "; Secure; HttpOnly");
resp.setHeader("Expires", "Tue, 14 May 1985 00:00:00 GMT");
resp.setHeader("Last-Modified", new Date().toString());
resp.setHeader(
"Cache-Control",
"no-store, no-cache, no-store, must-revalidate, max-age=0, post-check=0, pre-check=0");
resp.setHeader("Pragma", "no-cache");
resp.addHeader("X-FRAME-OPTIONS", "SAMEORIGIN");
resp.addHeader("strict-transport-security", "max-age=631138519");
resp.addHeader("x-xss-protection", "1; mode=block");
如果您在lib中添加了(logbackclassic/logbackclassic)jar文件,则会出现此错误。 前任: 回写 回归经典 ${logback.version}
如果您已经映射了它或它的依赖项jar,那么将其删除以解析“org.springframework.security.access.AccessDeniedException:拒绝访问”如果您在lib中添加了(logback classic/logback classic)jar文件,则会出现此错误。 前任: 回写 回归经典 ${logback.version}
如果已映射它或它的依赖项,请将其删除以解决“org.springframework.security.access.AccessDeniedException:拒绝访问”如果不希望出现此登录表单,请删除以下maven依赖项:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
org.springframework.boot
弹簧启动安全
希望这对其他人有所帮助。如果您不希望出现此登录表单,请删除以下maven依赖项:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
org.springframework.boot
弹簧启动安全
希望这对别人有帮助