Spring Security 4升级不再对

时间:2015-11-11 16:38:27

标签: java spring spring-mvc authentication spring-security

我已经采用了一个现有项目,我需要从春季3升级到春季4,但升级后我无法再进行身份验证。它返回403 Forbidden,我注意到不再调用spring的UserDetailsS​​ervice接口的NetworkUserDetailsS​​ervice.loadUserByUsername()实现来进行身份验证。失败时,浏览器将重定向到/ j_spring_security_check。这是Java 8升级工作的一部分,我们仍在Tomcat 7(基础架构要求)中运行。我希望我已经包含了足够的信息供某人发现问题。谢谢你的帮助!

这是我的spring-security.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns:sec="http://www.springframework.org/schema/security"
   xmlns="http://www.springframework.org/schema/beans"
   xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">

<sec:global-method-security proxy-target-class="true" pre-post-annotations="enabled"/>
<sec:authentication-manager>
    <sec:authentication-provider ref="daoAuthenticationProvider"/>
</sec:authentication-manager>

<bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<bean id="networkUserDetailsService" class="com.xxxxxx.xxxx.tools.base.service.NetworkUserDetailsService"/>

<bean id="daoAuthenticationProvider"
      class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <property name="userDetailsService" ref="networkUserDetailsService"/>
    <property name="passwordEncoder" ref="passwordEncoder"/>
</bean>

<sec:http pattern="/api/version" security="none"/>
<sec:http pattern="/admin/**" security="none"/>
<sec:http pattern="/css/**" security="none"/>
<sec:http pattern="/js/**" security="none"/>
<sec:http pattern="/images/**" security="none"/>
<sec:http pattern="/login*" security="none"/>

<sec:http auto-config="true" use-expressions="true">
    <!-- Login pages -->
    <sec:form-login login-page="/login.html" default-target-url="/welcome.html" always-use-default-target="true"
                    authentication-failure-url="/login-error.html"/>

    <sec:logout/>
    <!-- Security zones -->
    <sec:intercept-url pattern="/**" access="isAuthenticated()"/>
</sec:http>

我的web.xml:

<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee"
     version="3.0"
     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_2.xsd"
     metadata-complete="false">

<display-name>Web Application</display-name>

<resource-ref>
    <description>Data Source</description>
    <res-ref-name>jdbc/admin</res-ref-name>
    <res-type>javax.sql.DataSource</res-type>
    <res-auth>Container</res-auth>
</resource-ref>

<error-page>
    <location>/error</location>
</error-page>

<env-entry>
    <env-entry-name>appName</env-entry-name>
    <env-entry-type>java.lang.String</env-entry-type>
    <env-entry-value>admin</env-entry-value>
</env-entry>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>restricted methods</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method-omission>GET</http-method-omission>
        <http-method-omission>POST</http-method-omission>
        <http-method-omission>HEAD</http-method-omission>
    </web-resource-collection>
    <auth-constraint/>
</security-constraint>

登录表单(不注意Thymeleaf标签):

 <form class="form-signin" th:action="@{/j_spring_security_check}" method="post">
    <h2 class="form-signin-heading" th:text="#{admin.login}">Please sign in</h2>

    <p th:if="${loginError}" th:text="#{admin.denied.header}" class="error alert alert-danger">Wrong user or
        password</p>
    <input type="text" class="form-control" placeholder="User name" id="j_username" name="j_username"
           required="required" autofocus="autofocus"/>
    <input type="password" class="form-control" placeholder="Password" required="required" id="j_password"
           name="j_password"/> <br/>
    <button class="btn btn-lg btn-primary btn-block" type="submit" th:text="#{admin.login}">Sign in</button>
</form>

在服务器启动期间,springSecurityFilterChain正在代码中初始化:

private void addSpringSecurityFilter() {
    final DelegatingFilterProxy filter = new DelegatingFilterProxy("springSecurityFilterChain", applicationContext);
    final FilterRegistration.Dynamic filterChainReg = servletContext.addFilter("springSecurityFilterChain", filter);
    filterChainReg.addMappingForUrlPatterns(null, true, "/*");
}

0 个答案:

没有答案
相关问题
最新问题