Question

我将Spring Security从2升级到3

以前Security.xml有 AuthenticationProcessingFilter 和 AuthenticationProcessingFilterEntryPoint

所以我的新Security.xml是

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
<beans:bean id="userAuthenticationService"
    class="com.raykor.core.service.UserAuthenticationService" />

<beans:bean id="shaEncoder"
    class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" />

<global-method-security />

<http auto-config="false" entry-point-ref="authenticationProcessingFilterEntryPoint">

    <intercept-url pattern="/resettingPassword.do**" access="ROLE_ADMIN" />
    <intercept-url pattern="/resetPassword.do**" access="ROLE_ADMIN" />
    <logout logout-success-url="/index.jsp" invalidate-session="true" />
</http>

<authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="userAuthenticationService">
        <password-encoder ref="shaEncoder">
            <salt-source user-property="salt" />
        </password-encoder>
    </authentication-provider>
</authentication-manager>

<beans:bean id="authenticationFilter"
    class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
    <beans:property name="filterProcessesUrl" value="/j_spring_security_check" />
    <beans:property name="authenticationManager" ref="authenticationManager" />
    <beans:property name="authenticationFailureHandler"
        ref="failureHandler" />
    <beans:property name="authenticationSuccessHandler"
        ref="successHandler" />
</beans:bean>

<beans:bean id="successHandler"
    class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
    <beans:property name="alwaysUseDefaultTargetUrl" value="false" />
    <beans:property name="defaultTargetUrl" value="/home.do" />
</beans:bean>

<beans:bean id="failureHandler"
    class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
    <beans:property name="defaultFailureUrl" value="/login.do?error=true" />
</beans:bean>

<beans:bean id="authenticationProcessingFilterEntryPoint"
    class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <beans:property name="loginFormUrl" value="/login.do" />
    <beans:property name="forceHttps" value="false" />
</beans:bean>

`

还在web.xml中添加了过滤器 springSecurityFilterChain

在登录时，它会打开登录页面，在提交时，使用用户名和密码提交 j_spring_security_check j_username ＆amp;的为j_password

那么为什么说j_spring_security_checknot avaliable

Answer 1

您实例化UsernamePasswordAuthenticationFilter，但只是通过创建它不会成为安全过滤器链的一部分。尝试从auto-config="false"配置元素中删除http，并在其中包含<form-login>元素。我认为你通过bean定义完成的所有配置都可以使用更简洁的namespace configuration来完成，这应该是Spring Security 3的首选。

Answer 2

我错过了添加自定义过滤器ref我更新了如

<http auto-config="false" entry-point-ref="authenticationProcessingFilterEntryPoint">
    <custom-filter position="FORM_LOGIN_FILTER" ref="authenticationFilter"/>
    <intercept-url pattern="/resettingPassword.do**" access="ROLE_ADMIN" />
    <intercept-url pattern="/resetPassword.do**" access="ROLE_ADMIN" />
    <logout logout-success-url="/index.jsp" invalidate-session="true" />
</http>

j_spring_security_check不可用

2 个答案: