gpt4 book ai didi

java - Spring Security 用户身份验证不起作用

转载 作者:行者123 更新时间:2023-11-30 07:40:25 25 4
gpt4 key购买 nike

我正在尝试使用 spring security 来实现身份验证。

我无法弄清楚我做错了什么。

web.xml 有一个安全过滤器:

<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

spring-security.xml 定义了 url 拦截和身份验证管理器:

    <beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">

<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/logout**" access="permitAll" />

<!-- Incoming Product -->
<intercept-url pattern="/incomingProduct**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />

<!-- Maintanence pages -->
<intercept-url pattern="/depotUser**" access="hasRole('Administrator') and hasRole('Local_Administrator')" />
<intercept-url pattern="/product**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<intercept-url pattern="/productOwner**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />
<intercept-url pattern="/storageTank**" access="hasRole('Administrator') and hasRole('Local_Administrator') and hasRole('Supervisor') and hasRole('Manager')" />

<intercept-url pattern="/admin**" access="hasRole('Administrator')" />

<!-- access denied page -->
<access-denied-handler error-page="/error/403" />
<form-login
login-page="/"
default-target-url="/"
authentication-failure-url="/Access_Denied"
username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/logout" />
<!-- enable csrf protection -->
<csrf />
</http>

<authentication-manager>
<authentication-provider user-service-ref="userSecurityService" />
</authentication-manager>

<beans:bean id="userSecurityService" class="com.tms.securityServices.UserSecurityService" >
<beans:property name="depotUserDao" ref="depotUserDao" />
</beans:bean>

</beans:beans>

UserSecurityService 实现 UserDetailsS​​ervice。根据 spring-security.xml 中的配置,应该调用它来验证登录请求并将用户注入(inject) session 中。 (如果我错了,请纠正我!)

@Transactional
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException
{
DepotUser user = depotUserDao.findByUserName(username);
System.out.println("User : " + user);
if (user == null)
{
System.out.println("User not found");
throw new UsernameNotFoundException("Username not found");
}
return new org.springframework.security.core.userdetails.User(user.getUsername(), user.getPassword(), user.isActive(), true, true, true,
getGrantedAuthorities(user));
}

private List<GrantedAuthority> getGrantedAuthorities(DepotUser user)
{
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();

for (DepotUserRole userProfile : user.getUserRole())
{
System.out.println("UserProfile : " + userProfile);
authorities.add(new SimpleGrantedAuthority("ROLE_" + userProfile.getRole()));
}

System.out.print("authorities :" + authorities);
return authorities;
}

处理请求的登录 Controller :

    @RequestMapping(value = { "/loginRequest" }, method = RequestMethod.POST)
public String loginRequest(@RequestParam String username, @RequestParam String password, HttpServletRequest request, HttpServletResponse response)
{
DepotUser user = depotUserManager.getUserByUsernamePassword(username, password);

if (user != null)
{
request.setAttribute("firstName", user.getFirstName());
request.setAttribute("lastName", user.getLastName());
request.setAttribute("username", user.getUsername());
request.setAttribute("userRoles", user.getUserRole());
return "homePage";
}

发生的情况是,当我登录时,用户会以匿名用户身份登录。

身份验证不会被触发,因为我没有到达 UserSecurityService 中的断点。也不在处理请求的 spring Controller 中。

谁能帮帮我吗?

感谢任何帮助。

谢谢

最佳答案

不止一个细节看起来不对

在配置中,在登录部分:

<form-login 
login-page="/"
default-target-url="/"
authentication-failure-url="/Access_Denied"
username-parameter="username"
password-parameter="password" />

通过指定login-page="/",这意味着带有表单数据以执行身份验证的POST请求必须发送到"/" url,但您尝试在 Controller 中的 "/loginRequest" 处处理身份验证。

其次,处理身份验证不是您必须在 Controller 中自己管理的事情,Spring Security 会自动为您完成此操作,只需将表单 POST 到配置中指定的 url 即可。

更新:

对于登录表单,您应该确保以下事项:

  • 表单的操作网址与配置中的login-page参数匹配,在本例中为"/"<
  • 用户名输入字段的名称属性应与您的案例中的配置“用户名”中的用户名参数匹配<
  • 密码输入字段的名称属性应与配置中的密码参数匹配,在您的情况下为“密码” .

您还应该删除modelAttribute="loginUser"

关于java - Spring Security 用户身份验证不起作用,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/34777318/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com