使用模式配置Spring Security Filter Chain会为/ j_spring_security_check返回404

时间:2013-03-23 00:31:12

标签: spring-security

我正在使用Spring MVC和Spring Security Release 3.1.3以及tomcat 7.0.37

我需要配置2个安全过滤器链,一个用于BasicAuthentication,另一个用于FormBasedAuthentication。

这是我的spring-security.xml文件:

<beans:beans ...>
...

<!-- ....................... -->
<!-- The Gui is secured here -->
<!-- ....................... -->
<http auto-config="true" use-expressions="true" pattern="/gui/**">
    <intercept-url pattern="/gui/login**" access="isAnonymous()"/>

    <form-login login-page="/gui/login" default-target-url="/gui/welcome"
                authentication-failure-url="/gui/loginfailed" />

    <logout logout-success-url="/gui/logout" />

    <intercept-url pattern="/welcome*" access="hasRole('een_admin')" /> 
    <intercept-url pattern="/mandantAdmin/**" access="isAuthenticated()"/>
    <intercept-url pattern="/standortAdmin/**" access="isAuthenticated()"/> 
    <intercept-url pattern="/ereignisse/**" access="isAuthenticated()" />
    <intercept-url pattern="/tickets/**" access="isAuthenticated()"/>  <!-- requires-channel="https" -->        
    <intercept-url pattern="/**" access="hasRole('een_admin')"/>
</http>

<!-- ................................. -->
<!-- The Service Methods are secured here -->
<!-- ................................. -->
<http use-expressions="true" >
    <http-basic />
    <logout logout-url="/resources/j_spring_security_logout"/>

    <intercept-url pattern="/service/ticketManagement/**" access="isAuthenticated()"/>
    <intercept-url pattern="/service/standortKonfig/**" access="isAuthenticated()"/>
    <intercept-url pattern="/service/ereignisStorage/**" access="isAuthenticated()"/>

</http>
<debug/>


<authentication-manager>
  <authentication-provider>
    <password-encoder hash="sha-256"/>
    <user-service>
        <user name="123" password="asdf" authorities="een_admin" />
    </user-service>
  </authentication-provider>
</authentication-manager>
</beans:beans>

我的web.xml如下:

<servlet>
    <servlet-name>mvc-dispatcher</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>mvc-dispatcher</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/mvc-dispatcher-servlet.xml,
        /WEB-INF/spring-security.xml
    </param-value>
</context-param>

<!-- ........................................................................... -->
<!--                                Spring Security                              -->
<!-- ........................................................................... -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

访问其中一个基于表单的受保护资源时,我成功委派给配置的自定义登录表单。但在输入我的凭据后,我收到404错误,找不到“j_spring_security_check”(它正在使用此网址:"http://127.0.0.1:8080/webapp/j_spring_security_check"

以下是一些日志:

Request received for '/gui/login':

org.apache.catalina.connector.RequestFacade@174e4b3

servletPath:/gui/login
    pathInfo:null

    Security filter chain: [
      SecurityContextPersistenceFilter
      LogoutFilter
      UsernamePasswordAuthenticationFilter
      BasicAuthenticationFilter
      RequestCacheAwareFilter
      SecurityContextHolderAwareRequestFilter
      AnonymousAuthenticationFilter
      SessionManagementFilter
      ExceptionTranslationFilter
      FilterSecurityInterceptor
    ]
    Request received for '/j_spring_security_check':

    org.apache.catalina.connector.RequestFacade@174e4b3

    servletPath:/j_spring_security_check
    pathInfo:null

    Security filter chain: [
      SecurityContextPersistenceFilter
      LogoutFilter
      BasicAuthenticationFilter
      RequestCacheAwareFilter
      SecurityContextHolderAwareRequestFilter
      AnonymousAuthenticationFilter
      SessionManagementFilter
      ExceptionTranslationFilter
      FilterSecurityInterceptor
    ]

    01:06:06,345  WARN http-apr-8080-exec-3 servlet.PageNotFound:1080 - No mapping found for HTTP request with URI [/webapp/j_spring_security_check] in DispatcherServlet with name 'mvc-dispatcher'

    In access_logs:
    "POST /webapp/j_spring_security_check HTTP/1.1" 404 949

注意重定向时缺少 UsernamePasswordAuthenticationFilter

如果我删除第一个元素中的模式属性pattern =“/ gui / **”并注释掉第二个元素(除非interceptor-url模式存在问题),它再次正常工作。

简化一点:将模式属性添加到http元素时,无法再找到j_spring_security_check。

我做错了什么,有人可以帮助我吗?

1 个答案:

答案 0 :(得分:3)

您需要意识到,您在http块中定义的网址相对于pattern属性,因此首先,所有{{1}您拥有的模式(例如intercept-url)将无效,因为它们仅对以/welcome*开头的网址激活,因此永远不会匹配。它应该是/gui

您的登录表单提交的URL也必须在某处具有匹配的/gui/welcome元素。在您的情况下,它位于form-login过滤器链中,因此永远不会匹配/gui/**的请求。

因此,您需要更改登录表单中的网址,以/j_spring_security_check开头。您还可以通过设置login-processing-url来修改过滤器响应的URL。例如:

/gui

(选择一些根本不提Spring的东西是个好主意。)

您还应该删除<form-login login-processing-url="/gui/login.do" login-page="/gui/login" default-target-url="/gui/welcome" authentication-failure-url="/gui/loginfailed" /> 属性,因为它在这里没有做任何有用的事情,只会让人感到困惑。

相关问题
最新问题