个人中心
文章发布
退出
作者热门文章
- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
25
4
我使用的 Spring 安全版本是 4.0.2。Spring-security.xml主要部分
<http pattern="/resources/**" security="none" />
<http pattern="/login" security="none"/>
<http auto-config="true" use-expressions="true">
<!-- <intercept-url pattern="/login" access="permitAll" /> -->
<intercept-url pattern="/about" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/user/*" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN')"/>
<custom-filter ref="ipFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
<remember-me remember-me-parameter="remember-me" token-validity-seconds="604800" data-source-ref="dataSource" user-service-ref="customjdbcUserService"/>
<form-login login-page="/login" default-target-url="/"
password-parameter="pwd" />
<logout logout-success-url="/about" />
</http>
当我使用
<http pattern="/login" security="none"/>
在文件中,我的应用程序无法工作,当我提交我的登录请求时,它只是用 login.jsp View 响应我,并放置了调试信息那里:
22:32:42,905 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/login'; against '/resources/**'
22:32:42,905 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/login'; against '/login'
22:32:42,905 DEBUG FilterChainProxy:200 - /login has an empty filter list
22:32:42,906 DEBUG DispatcherServlet:861 - DispatcherServlet with name 'springmvc' processing POST request for [/login]
22:32:42,907 DEBUG RequestMappingHandlerMapping:294 - Looking up handler method for path /login
22:32:42,908 DEBUG RequestMappingHandlerMapping:299 - Returning handler method [public void com.bay1ts.controller.BaseController.login()]
22:32:42,908 DEBUG DefaultListableBeanFactory:248 - Returning cached instance of singleton bean 'baseController'
22:32:42,909 DEBUG DispatcherServlet:1241 - Rendering view [org.springframework.web.servlet.view.JstlView: name 'login'; URL [/WEB-INF/jsps/login.jsp]] in DispatcherServlet with name 'springmvc'
22:32:42,910 DEBUG DefaultListableBeanFactory:248 - Returning cached instance of singleton bean 'requestDataValueProcessor'
22:32:42,910 DEBUG JstlView:166 - Forwarding to resource [/WEB-INF/jsps/login.jsp] in InternalResourceView 'login'
22:32:42,919 DEBUG DispatcherServlet:996 - Successfully completed request
但是当我使用
<intercept-url pattern="/login" access="permitAll" />
像这样:
<http pattern="/resources/**" security="none" />
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/about" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/user/*" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN')"/>
<custom-filter ref="ipFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
<remember-me remember-me-parameter="remember-me" token-validity-seconds="604800" data-source-ref="dataSource" user-service-ref="customjdbcUserService"/>
<form-login login-page="/login" default-target-url="/"
password-parameter="pwd" />
<logout logout-success-url="/about" />
</http>
然后我可以登录我的应用程序这是调试信息
22:56:22,763 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/login'; against '/resources/**'
22:56:22,770 DEBUG FilterChainProxy:324 - /login at position 1 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
22:56:22,770 DEBUG HttpSessionSecurityContextRepository:171 - HttpSession returned null object for SPRING_SECURITY_CONTEXT
22:56:22,770 DEBUG HttpSessionSecurityContextRepository:101 - No SecurityContext was available from the HttpSession: org.eclipse.jetty.server.session.HashedSession:1bf4hxwrtqrdvs3dedd70rh8o@1206903733. A new one will be created.
22:56:22,770 DEBUG FilterChainProxy:324 - /login at position 2 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
22:56:22,770 DEBUG FilterChainProxy:324 - /login at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
22:56:22,771 DEBUG HstsHeaderWriter:128 - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@1945827
22:56:22,771 DEBUG FilterChainProxy:324 - /login at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter'
22:56:22,772 DEBUG FilterChainProxy:324 - /login at position 5 of 15 in additional filter chain; firing Filter: 'LogoutFilter'
22:56:22,772 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/login'; against '/logout'
22:56:22,773 DEBUG FilterChainProxy:324 - /login at position 6 of 15 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
22:56:22,773 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/login'; against '/login'
22:56:22,773 DEBUG UsernamePasswordAuthenticationFilter:211 - Request is to process authentication
22:56:22,774 DEBUG ProviderManager:162 - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
22:56:22,778 DEBUG JdbcTemplate:693 - Executing prepared SQL query
22:56:22,780 DEBUG JdbcTemplate:627 - Executing prepared SQL statement [select username,password,enabled from users where username = ?]
22:56:22,788 DEBUG DataSourceUtils:110 - Fetching JDBC Connection from DataSource
22:56:22,862 INFO AbstractPoolBackedDataSource:203 - Initializing c3p0 pool... com.mchange.v2.c3p0.ComboPooledDataSource [ acquireIncrement -> 3, acquireRetryAttempts -> 30, acquireRetryDelay -> 1000, autoCommitOnClose -> false, automaticTestTable -> null, breakAfterAcquireFailure -> false, checkoutTimeout -> 0, connectionCustomizerClassName -> null, connectionTesterClassName -> com.mchange.v2.c3p0.impl.DefaultConnectionTester, contextClassLoaderSource -> caller, dataSourceName -> 1hge1379c1b42a3w17r38ui|3c87fdf2, debugUnreturnedConnectionStackTraces -> false, description -> null, driverClass -> com.mysql.jdbc.Driver, extensions -> {}, factoryClassLocation -> null, forceIgnoreUnresolvedTransactions -> false, forceUseNamedDriverClass -> false, identityToken -> 1hge1379c1b42a3w17r38ui|3c87fdf2, idleConnectionTestPeriod -> 0, initialPoolSize -> 3, jdbcUrl -> jdbc:mysql://localhost:3306/jdbcdaoimpl?characterEncoding=UTF-8, maxAdministrativeTaskTime -> 0, maxConnectionAge -> 0, maxIdleTime -> 0, maxIdleTimeExcessConnections -> 0, maxPoolSize -> 15, maxStatements -> 0, maxStatementsPerConnection -> 0, minPoolSize -> 3, numHelperThreads -> 3, preferredTestQuery -> null, privilegeSpawnedThreads -> false, properties -> {user=******, password=******}, propertyCycle -> 0, statementCacheNumDeferredCloseThreads -> 0, testConnectionOnCheckin -> false, testConnectionOnCheckout -> false, unreturnedConnectionTimeout -> 0, userOverrides -> {}, usesTraditionalReflectiveProxies -> false ]
22:56:22,895 DEBUG MConfig:198 - The configuration file for resource identifier '/mchange-commons.properties' could not be found. Skipping.
java.io.FileNotFoundException: Resource not found at path '/mchange-commons.properties'.
at com.mchange.v2.cfg.BasicPropertiesConfigSource.propertiesFromSource(BasicPropertiesConfigSource.java:64)
at com.mchange.v2.cfg.BasicMultiPropertiesConfig.firstInit(BasicMultiPropertiesConfig.java:185)
at com.mchange.v2.cfg.BasicMultiPropertiesConfig.<init>(BasicMultiPropertiesConfig.java:110)
at com.mchange.v2.cfg.ConfigUtils.read(ConfigUtils.java:63)
at com.mchange.v2.cfg.MConfig$CSManager.recreateFromKey(MConfig.java:153)
at com.mchange.v1.cachedstore.NoCleanupCachedStore.find(NoCleanupCachedStore.java:63)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.mchange.v1.lang.Synchronizer$1.invoke(Synchronizer.java:58)
at com.sun.proxy.$Proxy29.find(Unknown Source)
at com.mchange.v2.cfg.MConfig.readVmConfig(MConfig.java:75)
at com.mchange.v2.cfg.MConfig.readVmConfig(MConfig.java:81)
at com.mchange.v2.resourcepool.BasicResourcePool.<clinit>(BasicResourcePool.java:60)
...
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:695)
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:727)
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:737)
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:787)
at org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl.loadUsersByUsername(JdbcDaoImpl.java:216)
at org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl.loadUserByUsername(JdbcDaoImpl.java:173)
at org.springframework.security.authentication.dao.DaoAuthenticationProvider.retrieveUser(DaoAuthenticationProvider.java:114)
at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:143)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:192)
at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:93)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:120)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:120)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1667)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1667)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:581)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1114)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:511)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1048)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:213)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:109)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:119)
at org.eclipse.jetty.server.Server.handle(Server.java:517)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:302)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:242)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:245)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:75)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceAndRun(ExecuteProduceConsume.java:213)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:147)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:654)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:572)
at java.lang.Thread.run(Thread.java:745)
22:56:22,992 DEBUG BasicResourcePool:195 - com.mchange.v2.resourcepool.BasicResourcePool@a87512f config: [start -> 3; min -> 3; max -> 15; inc -> 3; num_acq_attempts -> 30; acq_attempt_delay -> 1000; check_idle_resources_delay -> 0; max_resource_age -> 0; max_idle_time -> 0; excess_max_idle_time -> 0; destroy_unreturned_resc_time -> 0; expiration_enforcement_delay -> 0; break_on_acquisition_failure -> false; debug_store_checkout_exceptions -> false]
22:56:22,992 DEBUG C3P0PooledConnectionPoolManager:195 - Created new pool for auth, username (masked): 'ro******'.
22:56:22,992 DEBUG BasicResourcePool:195 - acquire test -- pool size: 0; target_pool_size: 3; desired target? 1
22:56:22,993 DEBUG BasicResourcePool:195 - awaitAvailable(): [unknown]
22:56:23,568 DEBUG DataSourceUtils:327 - Returning JDBC Connection to DataSource
22:56:23,570 DEBUG JdbcTemplate:693 - Executing prepared SQL query
22:56:23,570 DEBUG JdbcTemplate:627 - Executing prepared SQL statement [select username,authority from authorities where username = ?]
22:56:23,571 DEBUG DataSourceUtils:110 - Fetching JDBC Connection from DataSource
22:56:23,573 DEBUG DataSourceUtils:327 - Returning JDBC Connection to DataSource
22:56:23,578 DEBUG DefaultListableBeanFactory:248 - Returning cached instance of singleton bean 'sqlSessionFactory'
22:56:23,578 DEBUG CompositeSessionAuthenticationStrategy:86 - Delegating to org.springframework.security.web.csrf.CsrfAuthenticationStrategy@70540f7b
22:56:23,580 DEBUG CompositeSessionAuthenticationStrategy:86 - Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy@51ae01da
22:56:23,581 DEBUG DefaultListableBeanFactory:248 - Returning cached instance of singleton bean 'sqlSessionFactory'
22:56:23,582 DEBUG UsernamePasswordAuthenticationFilter:317 - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fec65191: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 1bf4hxwrtqrdvs3dedd70rh8o; Granted Authorities: ROLE_ADMIN, ROLE_USER
22:56:23,582 DEBUG PersistentTokenBasedRememberMeServices:147 - Creating new persistent login for user admin
22:56:23,586 DEBUG JdbcTemplate:908 - Executing prepared SQL update
22:56:23,586 DEBUG JdbcTemplate:627 - Executing prepared SQL statement [insert into persistent_logins (username, series, token, last_used) values(?,?,?,?)]
22:56:23,587 DEBUG DataSourceUtils:110 - Fetching JDBC Connection from DataSource
22:56:23,593 DEBUG JdbcTemplate:918 - SQL update affected 1 rows
22:56:23,594 DEBUG DataSourceUtils:327 - Returning JDBC Connection to DataSource
22:56:23,594 DEBUG DefaultListableBeanFactory:248 - Returning cached instance of singleton bean 'sqlSessionFactory'
22:56:23,595 DEBUG SavedRequestAwareAuthenticationSuccessHandler:110 - Using default Url: /
22:56:23,595 DEBUG DefaultRedirectStrategy:39 - Redirecting to '/'
22:56:23,595 DEBUG HttpSessionSecurityContextRepository:362 - SecurityContext 'org.springframework.security.core.context.SecurityContextImpl@fec65191: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fec65191: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 1bf4hxwrtqrdvs3dedd70rh8o; Granted Authorities: ROLE_ADMIN, ROLE_USER' stored to HttpSession: 'org.eclipse.jetty.server.session.HashedSession:m2b22n17auwqwwbhl5t9veiw@1206903733
22:56:23,596 DEBUG SecurityContextPersistenceFilter:105 - SecurityContextHolder now cleared, as request processing completed
22:56:23,598 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/'; against '/resources/**'
22:56:23,599 DEBUG FilterChainProxy:324 - / at position 1 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
22:56:23,599 DEBUG HttpSessionSecurityContextRepository:192 - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@fec65191: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fec65191: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 1bf4hxwrtqrdvs3dedd70rh8o; Granted Authorities: ROLE_ADMIN, ROLE_USER'
22:56:23,599 DEBUG FilterChainProxy:324 - / at position 2 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
22:56:23,600 DEBUG FilterChainProxy:324 - / at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
22:56:23,600 DEBUG HstsHeaderWriter:128 - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@1945827
22:56:23,600 DEBUG FilterChainProxy:324 - / at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter'
22:56:23,600 DEBUG FilterChainProxy:324 - / at position 5 of 15 in additional filter chain; firing Filter: 'LogoutFilter'
22:56:23,600 DEBUG AntPathRequestMatcher:131 - Request 'GET /' doesn't match 'POST /logout
22:56:23,601 DEBUG FilterChainProxy:324 - / at position 6 of 15 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
22:56:23,601 DEBUG AntPathRequestMatcher:131 - Request 'GET /' doesn't match 'POST /login
22:56:23,601 DEBUG FilterChainProxy:324 - / at position 7 of 15 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
22:56:23,601 DEBUG FilterChainProxy:324 - / at position 8 of 15 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
22:56:23,601 DEBUG FilterChainProxy:324 - / at position 9 of 15 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
22:56:23,601 DEBUG FilterChainProxy:324 - / at position 10 of 15 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
22:56:23,602 DEBUG RememberMeAuthenticationFilter:153 - SecurityContextHolder not populated with remember-me token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fec65191: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 1bf4hxwrtqrdvs3dedd70rh8o; Granted Authorities: ROLE_ADMIN, ROLE_USER'
22:56:23,602 DEBUG FilterChainProxy:324 - / at position 11 of 15 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
22:56:23,602 DEBUG AnonymousAuthenticationFilter:106 - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fec65191: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 1bf4hxwrtqrdvs3dedd70rh8o; Granted Authorities: ROLE_ADMIN, ROLE_USER'
22:56:23,602 DEBUG FilterChainProxy:324 - / at position 12 of 15 in additional filter chain; firing Filter: 'SessionManagementFilter'
22:56:23,602 DEBUG FilterChainProxy:324 - / at position 13 of 15 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
22:56:23,602 DEBUG FilterChainProxy:324 - / at position 14 of 15 in additional filter chain; firing Filter: 'IPRoleAuthenticationFilter'
22:56:23,603 DEBUG FilterChainProxy:324 - / at position 15 of 15 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
22:56:23,603 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/'; against '/login'
22:56:23,603 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/'; against '/about'
22:56:23,603 DEBUG FilterSecurityInterceptor:218 - Secure object: FilterInvocation: URL: /; Attributes: [hasRole('ROLE_USER')]
22:56:23,603 DEBUG FilterSecurityInterceptor:347 - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fec65191: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 1bf4hxwrtqrdvs3dedd70rh8o; Granted Authorities: ROLE_ADMIN, ROLE_USER
22:56:23,608 DEBUG AffirmativeBased:65 - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@71ed560f, returned: 1
22:56:23,608 DEBUG FilterSecurityInterceptor:242 - Authorization successful
22:56:23,608 DEBUG FilterSecurityInterceptor:255 - RunAsManager did not change Authentication object
22:56:23,609 DEBUG FilterChainProxy:309 - / reached end of additional filter chain; proceeding with original chain
22:56:23,609 DEBUG DispatcherServlet:861 - DispatcherServlet with name 'springmvc' processing GET request for [/]
22:56:23,609 DEBUG RequestMappingHandlerMapping:294 - Looking up handler method for path /
22:56:23,610 DEBUG RequestMappingHandlerMapping:299 - Returning handler method [public java.lang.String com.bay1ts.controller.BaseController.index()]
22:56:23,610 DEBUG DefaultListableBeanFactory:248 - Returning cached instance of singleton bean 'baseController'
22:56:23,611 DEBUG DispatcherServlet:947 - Last-Modified value for [/] is: -1
22:56:23,612 DEBUG DefaultListableBeanFactory:1616 - Invoking afterPropertiesSet() on bean with name 'index'
22:56:23,612 DEBUG DispatcherServlet:1241 - Rendering view [org.springframework.web.servlet.view.JstlView: name 'index'; URL [/WEB-INF/jsps/index.jsp]] in DispatcherServlet with name 'springmvc'
22:56:23,612 DEBUG DefaultListableBeanFactory:248 - Returning cached instance of singleton bean 'requestDataValueProcessor'
22:56:23,613 DEBUG JstlView:166 - Forwarding to resource [/WEB-INF/jsps/index.jsp] in InternalResourceView 'index'
22:56:23,764 DEBUG DispatcherServlet:996 - Successfully completed request
22:56:23,764 DEBUG ExceptionTranslationFilter:116 - Chain processed normally
22:56:23,765 DEBUG SecurityContextPersistenceFilter:105 - SecurityContextHolder now cleared, as request processing completed
但为什么呢?
最佳答案
一般使用security="none"不推荐。这指示 Spring Security 完全忽略特定请求。
使用 security="none" 的一个后果是当你提交用户名和密码进行验证时,Spring Security 的 UsernamePasswordAuthenticationFilter不会处理它。
使用 security="none" 的另一个后果是其他类型的安全不再存在。例如,没有 Security HTTP Response headers将被添加。
当您使用 permitAll 时指示 Spring Security 允许任何人访问该 URL,但 Spring Security 仍将处理该 URL。这意味着在处理提交的用户名/密码时仍会使用 URL。这也意味着其他类型的安全性(即安全性 HTTP 响应 header )将可用于该 URL。
配置清理
您可以/应该做一些额外的配置清理。例如,每个 <intercept-url>按顺序考虑,只使用第一个。这意味着:
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/about" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/user/*" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN')"/>
永远不会达到/user/* 或/admin/* 的规则,因为/** 匹配所有内容并列在它们之前。
相反,您应该按照从最具体到最一般的顺序对规则进行排序。例如:
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/about" access="permitAll" />
<intercept-url pattern="/user/*" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
您还可以清理一些配置。例如,在 Spring Security 4+ 中 expressions="true"是默认启用的(所以你不需要指定它)。另一个例子是在 Spring Security 4+ 中你不再需要为 hasRole 提供 ROLE_。这意味着您可以将配置更新为:
<http auto-config="true">
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/about" access="permitAll" />
<intercept-url pattern="/user/*" access="hasRole('USER')" />
<intercept-url pattern="/admin/*" access="hasRole('ADMIN')"/>
<intercept-url pattern="/**" access="hasRole('USER')" />
<custom-filter ref="ipFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
<remember-me remember-me-parameter="remember-me" token-validity-seconds="604800" data-source-ref="dataSource" user-service-ref="customjdbcUserService"/>
<form-login login-page="/login" default-target-url="/"
password-parameter="pwd" />
<logout logout-success-url="/about" />
</http>
可能值得一提的是/user/* 将匹配/user/123,但不匹配/user/profile/123。因此,您可以考虑将模式更改为/user/**
关于java - Spring 安全/登录不通过任何过滤器,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/33371389/
25
4
0
我正在尝试为我的用户提供使用 Google 或 Facebook 登录的选项。到目前为止,我找到了一个实现 Google 登录流程的示例,但如果我可以在同一 Activity 中实现类似的 Faceb
我有一个网页,它对用户是否登录很敏感。我使用的是 Google 登录 Javascript SDK。当用户到达此页面时,我想显示一个插页式广告(“正在加载...”),然后 1)如果用户已登录则呈现页面
我用 digitalocean 创建了一个 droplet,并使用 apt install mariadb-server 命令安装了 mariadb。现在我想使用 php 连接到我的服务器,我使用这个
这个问题在这里已经有了答案: Inno Setup - Signing fails with "Sign Tool failed with exit code 0x1" (2 个回答) 3年前关闭。
我正在尝试使用他们的新 API 实现 google 登录:https://developers.google.com/identity/sign-in/web/ 登录和注销工作正常。我的问题是我不知道
我的应用程序具有谷歌登录、Facebook 登录和 braintree 集成。 我已将以下代码放入 appdelegate.swift 中: func application(_ applicatio
我有一个 Flask 应用程序,最近在我的登录/退出表单中实现了 Flask-Login: @account.route('/sign-in', methods=['POST', 'GET']) de
friend 们,我是初学者级别的 ios swift 学习者。我一直在尝试在我的试用应用程序中进行谷歌登录。根据来自谷歌开发人员和其他教程的资源,我成功地使用 UIView 进行了登录。然后我试图在
我正在使用 Ionic 在 Codeigniter/Ion_Auth/codeigniter-restclient 之上构建登录系统,当我尝试从“ionic 服务器”登录时,登录可以正常工作,但对 L
在 Docker 文件中我有这个 FROM ubuntu RUN apt update && apt -y upgrade RUN apt install -y sudo # Setup ops us
对于 Java 开发,我使用 Slf4j 和 Logback。 Logger logger = LoggerFactory.getLogger(HelloWorld.class); logger.de
在 Scala 应用程序中进行日志记录的好方法是什么?与语言哲学一致的东西,不会使代码困惑,并且维护成本低且不引人注目。以下是基本要求列表: 简单 不会使代码困惑。 Scala 以其简洁而著称。我不希
我正在尝试将我的登录名转换为 Retrofit2 我的旧 LoginActivity: public class LoginActivity extends Activity { private st
我正在尝试让 google+ 登录在 android 上运行。我的问题是,每当我使用 eclipse 运行它时,google 开发站点上提供的示例都能完美运行。当我签署 apk 并在我的设备上手动安装
这个问题已经有答案了: JS Simple but Safe Login? [closed] (1 个回答) 已关闭 6 年前。 我正在尝试使用 JavaScript 创建登录页面。它实际上只是一个带
其他章节请看: react 高效高质量搭建后台系统 系列 登录 本篇将完成 登录模块 。效果和 spug 相同: 需求 如下:
关闭。这个问题不符合Stack Overflow guidelines .它目前不接受答案。 我们不允许提问寻求书籍、工具、软件库等的推荐。您可以编辑问题,以便用事实和引用来回答。 关闭 1 年前。
我在使用 ReactJs 中的 facebook-login 组件时遇到问题,代码与文档中的完全一样,但仍然无法正常工作。你能帮我找出我做错了什么吗? import React, { Componen
我有一个项目,其中包含许多具有自己的日志记录的“工具”类。这些日志文件是在应用程序启动时创建的,但在使用之前一直为空。 是否可以告诉logback在启动时不应该创建空文件?但是仅在使用它们时? 不知何
我正在创建一个需要用户授权才能访问某些功能的网站。我目前正在研究用户如何创建帐户以及如何利用 session 来授权他们的登录。用户信息存储在名为 user 的 MySQL 表中,其中可能包括用户名和
我是一名优秀的程序员,十分优秀!