我设置了一个JSF(SpringFaces)和Spring Security应用程序,我在applicationContext-security.xml中保护了customer.jsf页面:
<http auto-config="true" access-denied-page="/accessDenied.jsp">
<intercept-url pattern="/pages/customer**" access="ROLE_SUPERVISOR,ROLE_TELLER" />
<form-login login-processing-url="/j_spring_security_check"
login-page="/pages/login.jsf" default-target-url="/"
authentication-failure-url="/pages/login.jsf" />
<logout logout-url="/logout*" logout-success-url="/" />
</http>
在main.jsf页面上,我有一个指向customer.jsf的链接。当我点击此链接时,客户页面打开而没有安全检查!这是一些日志输出:
DEBUG org.springframework.security.web.FilterChainProxy - /pages/main.jsf at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@10de3a. A new one will be created.
DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - requestURI: arg1=/TestProject/pages/customer.jsf; arg2=/TestProject/pages/main.jsf (property not equals)
DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/pages/main.jsf'; against '/pages/customer**'
DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Public object - authentication not attempted
但是当我已经在客户页面上,然后点击客户页面本身的链接时,我会获得登录页面并跟随日志输出:
DEBUG org.springframework.security.web.FilterChainProxy - /pages/customer.jsf at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@10de3a. A new one will be created.
DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - requestURL: arg1=http://localhost:8080/TestProject/pages/customer.jsf; arg2=http://localhost:8080/TestProject/pages/customer.jsf (property equals)
DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/pages/customer.jsf'; against '/pages/customer**'
DEBUG org.springframework.security.web.access.intercept.FilterScurityInterceptor - Secure object: FilterInvocation: URL: /pages/customer.jsf; Attributes: [ROLE_SUPERVISOR, ROLE_TELLER]
似乎,源页面(我来自哪里)是安全检查的,但不是目标页面(我想去的地方)。
这是web.xml中的一些配置:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
应用程序中的所有其他页面都不受保护且工作正常。 有什么提示有什么不对吗?
谢谢! 亚历