未执行将基于Spring表单的登录从3.x迁移到4.0bean操作_Spring_Spring Security_Spring Java Config

未执行将基于Spring表单的登录从3.x迁移到4.0bean操作

spring spring-security

未执行将基于Spring表单的登录从3.x迁移到4.0bean操作,spring,spring-security,spring-java-config,Spring,Spring Security,Spring Java Config,我已经从SpringSecurity3.x切换到4.0，现在我的自定义登录表单面临一些问题我的安全配置： @Configuration @EnableWebSecurity @ComponentScan(basePackageClasses = {CustomUserDetailsService.class, CustomPermissionEvaluator.class}) public class WebSecurityConfiguration extends WebSecurityCo

我已经从SpringSecurity3.x切换到4.0，现在我的自定义登录表单面临一些问题

我的安全配置：

@Configuration
@EnableWebSecurity
@ComponentScan(basePackageClasses = {CustomUserDetailsService.class, CustomPermissionEvaluator.class})
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

@Resource(name = "authService")
private UserDetailsService userDetailsService;

private BCryptPasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
static class MethodSecurityConfiguration extends GlobalMethodSecurityConfiguration {

    @Autowired
    private CustomPermissionEvaluator permissionEvaluator;

    @Override
    protected MethodSecurityExpressionHandler createExpressionHandler() {
        DefaultMethodSecurityExpressionHandler handler
                = new DefaultMethodSecurityExpressionHandler();
        handler.setPermissionEvaluator(permissionEvaluator);
        return handler;
    }

    public CustomPermissionEvaluator getPermissionEvaluator() {
        return permissionEvaluator;
    }

    public void setPermissionEvaluator(CustomPermissionEvaluator permissionEvaluator) {
        this.permissionEvaluator = permissionEvaluator;
    }

}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
                .antMatchers("/pages/unsecure/**", "/layouts/**", "/resources/**", "/javax.faces.resource/**", "/uploads/**").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/pages/unsecure/login.xhtml")
                .permitAll()
                .and()
            .logout()
                .permitAll()
                .deleteCookies()
                .logoutSuccessUrl("/pages/unsecure/login.xhtml")
                .invalidateHttpSession(true)
                .and()
            .csrf()
                .disable();

}

@Autowired
public void registerAuthentication(AuthenticationManagerBuilder auth) throws Exception {
    BCryptPasswordEncoder encoder = passwordEncoder();
    auth
            .userDetailsService(userDetailsService)
            .passwordEncoder(encoder);
}

我的CustomUserDetails服务：

@Override
public UserDetails loadUserByUsername(String login) throws UsernameNotFoundException {
    System.out.println("----------------"+login+"-------------------");
    com.redast.model.User domainUser = getUserDAO().findByLogin(login);
    if(domainUser == null){
        throw new UsernameNotFoundException("could not find user"+login);
    }

    return new UserDAOUserDetails(domainUser);

}

我的登录名：

public String login() {
    try {
        System.out.println("Login Action: "+this.getUserName());

        Authentication request = new UsernamePasswordAuthenticationToken(this.getUserName(), this.getPassword());

        Authentication result = getAuthenticationManager().authenticate(request);

        SecurityContextHolder.getContext().setAuthentication(result);
    } catch (AuthenticationException e) {
        return "/pages/unsecure/login";
    }
    return "/pages/unsecure/welcomePage?faces-redirect=true";
}

最后是我的登录表单：

 <h:form  id="loginFormId" prependId="false">
            <h:panelGrid columns="3" cellpadding="3" id="loginGrid">

                <h:outputLabel id="outTxtUserNameId" value="Username: " for="username"/>
                <p:inputText id="username" required="true" value="#{loginMgmtBean.userName}" requiredMessage="Please enter username" label="Name"></p:inputText>
                <p:message for="username" />

                <h:outputLabel id="outTxtPasswordId" value="Password: " for="password"/>
                <p:password id="password"  required="true" value="#{loginMgmtBean.password}" requiredMessage="Please enter password"></p:password>
                <p:message for="password" />

                <p:commandButton id="btnLoginId" value="Login" action="#{loginMgmtBean.login}" styleClass="loginPanelBtn"  validateClient="true" update="loginGrid" />
            </h:panelGrid>
        </h:form>

谢谢。 bwright

在formLogin和logout方法调用之后，需要删除permitAll方法调用：

http
    .authorizeRequests()
        .antMatchers("/pages/unsecure/**", "/layouts/**", "/resources/**", "/javax.faces.resource/**", "/uploads/**").permitAll()
        .anyRequest().authenticated()
        .and()
    .formLogin()
        .loginPage("/pages/unsecure/login.xhtml")
        .and()
    .logout()
        .deleteCookies()
        .logoutSuccessUrl("/pages/unsecure/login.xhtml")
        .invalidateHttpSession(true)
        .and()
    .csrf()
        .disable();

我猜您在java配置中没有为您的登录声明bean，就像您在xml配置中声明的那样。我该如何定义这个bean呢？在@Configuration注释的config类中编写一个新方法。该方法必须使用@Bean注释进行注释，并且必须返回Bean的实例。因此方法签名看起来像：@Bean public LoginBean getLoginBean{}您还必须声明一个身份验证管理器不是在WebSecurity配置中的registerAuthentication中定义/创建的身份验证管理器吗？

http
    .authorizeRequests()
        .antMatchers("/pages/unsecure/**", "/layouts/**", "/resources/**", "/javax.faces.resource/**", "/uploads/**").permitAll()
        .anyRequest().authenticated()
        .and()
    .formLogin()
        .loginPage("/pages/unsecure/login.xhtml")
        .and()
    .logout()
        .deleteCookies()
        .logoutSuccessUrl("/pages/unsecure/login.xhtml")
        .invalidateHttpSession(true)
        .and()
    .csrf()
        .disable();