Spring Security通过提供拒绝访问异常，在成功身份验证后重定向到登录页面_Spring_Ssl_Https_Spring Security_Access Denied

Spring Security通过提供拒绝访问异常，在成功身份验证后重定向到登录页面

spring ssl https spring-security

Spring Security通过提供拒绝访问异常，在成功身份验证后重定向到登录页面,spring,ssl,https,spring-security,access-denied,Spring,Ssl,Https,Spring Security,Access Denied,面临奇怪的问题：应用程序在HTTP上工作正常，但在添加SLL证书后再次重定向到登录页面：下面是spring-security.xml中的代码片段 <security:http auto-config="false" use-expressions="true" access-denied-page="/pages/denied.rs" entry-point-ref="authenticationEntryPoint" disable-url-rewriting="true"&g

面临奇怪的问题：应用程序在HTTP上工作正常，但在添加SLL证书后再次重定向到登录页面：下面是spring-security.xml中的代码片段

    <security:http auto-config="false" use-expressions="true" access-denied-page="/pages/denied.rs" entry-point-ref="authenticationEntryPoint" disable-url-rewriting="true">
            <security:intercept-url pattern="/pages/doLogin.rs" requires-channel="any" access="hasAnyRole('ROLE_SYSTEM_ADMINISTRATOR', 'ROLE_KEY_ACCOUNT_MANAGER', 'ROLE_A', 'ROLE_B'" />
            <security:intercept-url pattern="/**" requires-channel="any" access="hasAnyRole('ROLE_SYSTEM_ADMINISTRATOR', 'ROLE_KEY_ACCOUNT_MANAGER', 'ROLE_A', 'ROLE_B')"/>
            <security:logout invalidate-session="true" logout-success-url="/pages/login.rs"/>
            <security:custom-filter after="FILTER_SECURITY_INTERCEPTOR" ref="applicationRequestFilter" />
            <security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER" />
            <security:custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER"/> 
            <security:session-management session-authentication-strategy-ref="sas" invalid-session-url="/pages/sessiontimeout.rs"/>
</security:http>
<bean id="authenticationFilter"
        class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
        p:authenticationManager-ref="customAuthenticationManager"
        p:authenticationFailureHandler-ref="customAuthenticationFailureHandler"
        p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler" />


<bean id="customAuthenticationSuccessHandler"
        class="com.mycomapny.CustomAuthenticationSuccessHandler"
        p:defaultTargetUrl="/pages/doLogin.rs" />


<bean id="authenticationEntryPoint"
        class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
        p:loginFormUrl="/pages/login.rs" />

我们在响应中使用cookie头作为httpOnly；稳妥

我尝试添加requires channel=“https”，但也没有成功。

问题已得到解决：我在响应中手动设置了以下标题以避免安全缺陷…因此，我获得了拒绝访问异常

我删除了下面的代码并添加了ApacheLavel，它工作得很好

    String sessionid = request.getSession(true).getId();
    resp.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid
                + "; Secure; HttpOnly");
    resp.setHeader("Expires", "Tue, 14 May 1985 00:00:00 GMT");
    resp.setHeader("Last-Modified", new Date().toString());
    resp.setHeader(
                "Cache-Control",
                "no-store, no-cache, no-store, must-revalidate, max-age=0, post-check=0, pre-check=0");
    resp.setHeader("Pragma", "no-cache");
    resp.addHeader("X-FRAME-OPTIONS", "SAMEORIGIN");
    resp.addHeader("strict-transport-security", "max-age=631138519");
    resp.addHeader("x-xss-protection", "1; mode=block");

问题解决了：我在响应中手动设置了下面的标题以避免安全缺陷…因此，我得到了拒绝访问的异常

我删除了下面的代码并添加了ApacheLavel，它工作得很好

    String sessionid = request.getSession(true).getId();
    resp.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid
                + "; Secure; HttpOnly");
    resp.setHeader("Expires", "Tue, 14 May 1985 00:00:00 GMT");
    resp.setHeader("Last-Modified", new Date().toString());
    resp.setHeader(
                "Cache-Control",
                "no-store, no-cache, no-store, must-revalidate, max-age=0, post-check=0, pre-check=0");
    resp.setHeader("Pragma", "no-cache");
    resp.addHeader("X-FRAME-OPTIONS", "SAMEORIGIN");
    resp.addHeader("strict-transport-security", "max-age=631138519");
    resp.addHeader("x-xss-protection", "1; mode=block");

如果您在lib中添加了（logbackclassic/logbackclassic）jar文件，则会出现此错误。前任：回写回归经典 ${logback.version}

如果您已经映射了它或它的依赖项jar，那么将其删除以解析“org.springframework.security.access.AccessDeniedException:拒绝访问”

如果您在lib中添加了（logback classic/logback classic）jar文件，则会出现此错误。前任：回写回归经典 ${logback.version}

如果已映射它或它的依赖项，请将其删除以解决“org.springframework.security.access.AccessDeniedException:拒绝访问”

如果不希望出现此登录表单，请删除以下maven依赖项：

<dependency>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-security</artifactId>
</dependency>


org.springframework.boot
弹簧启动安全

希望这对其他人有所帮助。

如果您不希望出现此登录表单，请删除以下maven依赖项：

<dependency>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-security</artifactId>
</dependency>


org.springframework.boot
弹簧启动安全

希望这对别人有帮助