我的应用程序应该向只有ROLE_ADMIN访问权限的用户显示secret.jsp页面,但它没有。
我定义了两个用户,一个用户访问ROLE_ADMIN,另一个用户访问ROLE_USER。我有两个问题第一个问题是登录页面不起作用我可以使用任何虚拟用户名和密码访问应用程序。
另一个问题是,ROLE_ADMIN用户看不到secret.jsp页面。一旦我打开login.jsp页面并输入用户的凭据,它就会进入注册页面,但是当我点击秘密链接时,它会重定向到login.jsp页面,而不是打开secret.jsp页面。
我正在Struts2上实现SpringSecurity。
Web.xml中
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext.xml
/WEB-INF/medics-security.xml
/WEB-INF/login-service.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>
医务人员-security.xml文件
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns='http://www.springframework.org/schema/security'
xmlns:beans='http://www.springframework.org/schema/beans'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xsi:schemaLocation='http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd'>
<beans:import resource='login-service.xml'/>
<http auto-config="true" access-denied-page="/error.jsp">
<intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/register*" access="ROLE_ADMIN" />
<intercept-url pattern="/secret*" access="ROLE_ADMIN" />
<form-login login-page="/login.jsp" authentication-failure-url="/login?error=true"/>
<remember-me/>
<logout/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="secret" authorities="ROLE_ADMIN"/>
<user name="user" password="secret" authorities="ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
登录-service.xml中
<beans xmlns='http://www.springframework.org/schema/beans'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xsi:schemaLocation='http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd'>
</beans>
的applicationContext.xml
<?xml version='1.0' encoding='UTF-8'?>
<beans xmlns='http://www.springframework.org/schema/beans'
xmlns:context='http://www.springframework.org/schema/context'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xsi:schemaLocation='http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd'>
<context:component-scan base-package='com.myproject'/>
<bean id='internalResourceResolver'
class='org.springframework.web.servlet.view.InternalResourceViewResolver'>
<property name='prefix' value='/Web Pages/'/>
<property name='suffix' value='.jsp'/>
</bean>
<bean
class='org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping'/>
<bean class='org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter'/>
<bean id='placeholderConfig'
class='org.springframework.beans.factory.config.PropertyPlaceholderConfigurer'/>
</beans>
struts.xml中
<!DOCTYPE struts PUBLIC
"-//Apache Software Foundation//DTD Struts Configuration 2.0//EN"
"http://struts.apache.org/dtds/struts-2.0.dtd">
<struts>
<!-- Configuration for the default package. -->
<constant name="struts.action.extension" value="html"/>
<constant name="struts.enable.SlashesInActionNames" value="true"/>
<action name="Login" class="com.myproject.struts.Login">
<result name="SUCCESS">login.jsp</result>
</action>
<action name="Register" class="com.myproject.struts.Register">
<result name="SUCCESS">register.jsp</result>
</action>
<action name="j_spring_security_check" class="com.myproject.struts.j_spring_security_check">
<result name="SUCCESS">register.jsp</result>
</action>
register.jsp
<%@page contentType="text/html" pageEncoding="UTF-8"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<%@ taglib prefix="s" uri="/struts-tags" %>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>secret page</title>
</head>
<body>
<p>register</p>
<a href="secret.jsp">secret</a>
</body>
</html>
的login.jsp
<html>
<head>
</head>
<body>
<form action="j_spring_security_check.html" method="post">
<label for="j_username">Username</label>
<input type="text" name="j_username" id="j_username"/><br/>
<label for="j_password">Password</label>
<input type="password" name="j_password" id="j_password"/><br/>
<input type='checkbox' name='_spring_security_remember_me'/> Remember me<br/>
<input type="submit" value="Login"/>
<input type="reset" value="Reset"/>
</form>
</body>
</html>
答案 0 :(得分:2)
在你的medics-security.xml
中
<http auto-config="true" access-denied-page="/error.jsp">
<intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/register*" access="ROLE_ADMIN" />
<intercept-url pattern="/secret*" access="ROLE_ADMIN" />
<form-login login-page="/login.jsp" authentication-failure-url="/login?error=true"/>
<remember-me/>
<logout/>
</http>
第一个模式是“/”它映射应用程序的根目录。 Spring Security按顺序检查模式,第一个模式满足您的请求,Spring Security允许您进入,因为它与access="IS_AUTHENTICATED_ANONYMOUSLY"
一致。你最后放置最宽的图案。您可以在日志中看到模式检查。