未执行将基于Spring表单的登录从3.x迁移到4.0bean操作
我已经从SpringSecurity3.x切换到4.0,现在我的自定义登录表单面临一些问题 我的安全配置:未执行将基于Spring表单的登录从3.x迁移到4.0bean操作,spring,spring-security,spring-java-config,Spring,Spring Security,Spring Java Config,我已经从SpringSecurity3.x切换到4.0,现在我的自定义登录表单面临一些问题 我的安全配置: @Configuration @EnableWebSecurity @ComponentScan(basePackageClasses = {CustomUserDetailsService.class, CustomPermissionEvaluator.class}) public class WebSecurityConfiguration extends WebSecurityCo
@Configuration
@EnableWebSecurity
@ComponentScan(basePackageClasses = {CustomUserDetailsService.class, CustomPermissionEvaluator.class})
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Resource(name = "authService")
private UserDetailsService userDetailsService;
private BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
static class MethodSecurityConfiguration extends GlobalMethodSecurityConfiguration {
@Autowired
private CustomPermissionEvaluator permissionEvaluator;
@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
DefaultMethodSecurityExpressionHandler handler
= new DefaultMethodSecurityExpressionHandler();
handler.setPermissionEvaluator(permissionEvaluator);
return handler;
}
public CustomPermissionEvaluator getPermissionEvaluator() {
return permissionEvaluator;
}
public void setPermissionEvaluator(CustomPermissionEvaluator permissionEvaluator) {
this.permissionEvaluator = permissionEvaluator;
}
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/pages/unsecure/**", "/layouts/**", "/resources/**", "/javax.faces.resource/**", "/uploads/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/pages/unsecure/login.xhtml")
.permitAll()
.and()
.logout()
.permitAll()
.deleteCookies()
.logoutSuccessUrl("/pages/unsecure/login.xhtml")
.invalidateHttpSession(true)
.and()
.csrf()
.disable();
}
@Autowired
public void registerAuthentication(AuthenticationManagerBuilder auth) throws Exception {
BCryptPasswordEncoder encoder = passwordEncoder();
auth
.userDetailsService(userDetailsService)
.passwordEncoder(encoder);
}
我的CustomUserDetails服务:
@Override
public UserDetails loadUserByUsername(String login) throws UsernameNotFoundException {
System.out.println("----------------"+login+"-------------------");
com.redast.model.User domainUser = getUserDAO().findByLogin(login);
if(domainUser == null){
throw new UsernameNotFoundException("could not find user"+login);
}
return new UserDAOUserDetails(domainUser);
}
我的登录名:
public String login() {
try {
System.out.println("Login Action: "+this.getUserName());
Authentication request = new UsernamePasswordAuthenticationToken(this.getUserName(), this.getPassword());
Authentication result = getAuthenticationManager().authenticate(request);
SecurityContextHolder.getContext().setAuthentication(result);
} catch (AuthenticationException e) {
return "/pages/unsecure/login";
}
return "/pages/unsecure/welcomePage?faces-redirect=true";
}
最后是我的登录表单:
<h:form id="loginFormId" prependId="false">
<h:panelGrid columns="3" cellpadding="3" id="loginGrid">
<h:outputLabel id="outTxtUserNameId" value="Username: " for="username"/>
<p:inputText id="username" required="true" value="#{loginMgmtBean.userName}" requiredMessage="Please enter username" label="Name"></p:inputText>
<p:message for="username" />
<h:outputLabel id="outTxtPasswordId" value="Password: " for="password"/>
<p:password id="password" required="true" value="#{loginMgmtBean.password}" requiredMessage="Please enter password"></p:password>
<p:message for="password" />
<p:commandButton id="btnLoginId" value="Login" action="#{loginMgmtBean.login}" styleClass="loginPanelBtn" validateClient="true" update="loginGrid" />
</h:panelGrid>
</h:form>
谢谢。
bwright在formLogin和logout方法调用之后,需要删除permitAll方法调用:
http
.authorizeRequests()
.antMatchers("/pages/unsecure/**", "/layouts/**", "/resources/**", "/javax.faces.resource/**", "/uploads/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/pages/unsecure/login.xhtml")
.and()
.logout()
.deleteCookies()
.logoutSuccessUrl("/pages/unsecure/login.xhtml")
.invalidateHttpSession(true)
.and()
.csrf()
.disable();
我猜您在java配置中没有为您的登录声明bean,就像您在xml配置中声明的那样。我该如何定义这个bean呢?在@Configuration注释的config类中编写一个新方法。该方法必须使用@Bean注释进行注释,并且必须返回Bean的实例。因此方法签名看起来像:@Bean public LoginBean getLoginBean{}您还必须声明一个身份验证管理器不是在WebSecurity配置中的registerAuthentication中定义/创建的身份验证管理器吗?
http
.authorizeRequests()
.antMatchers("/pages/unsecure/**", "/layouts/**", "/resources/**", "/javax.faces.resource/**", "/uploads/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/pages/unsecure/login.xhtml")
.and()
.logout()
.deleteCookies()
.logoutSuccessUrl("/pages/unsecure/login.xhtml")
.invalidateHttpSession(true)
.and()
.csrf()
.disable();