向安全配置添加行后的ERR_TOO_MANY_REDIRECTS

时间:2013-09-18 14:22:01

标签: java spring spring-security

我添加行

<intercept-url pattern="/*" access="isAuthenticated()"/>

到security_config.xml 和浏览器说我

ERR_TOO_MANY_REDIRECTS

security_config.xml 

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <http use-expressions="true">
<!--        <intercept-url pattern="/*" access="permitAll" /> -->
        <intercept-url pattern="/*" access="isAuthenticated()"/> 
        <form-login login-page="/home.jsp"
            authentication-failure-url="/loginFailed" default-target-url="/index" />
        <logout logout-success-url="/logOut" />
    </http>
    <authentication-manager>
<!--        <authentication-provider ref="provider" /> -->
<authentication-provider>
    <user-service>
    <user name="name" authorities="ROLE_USER"/>
    </user-service>
</authentication-provider>
    </authentication-manager>

</beans:beans>

针对home.jsp:

<%@ page language="java" contentType="text/html; charset=utf8"
    pageEncoding="utf8"%>
<%@taglib uri="http://www.springframework.org/tags" prefix="spring"%>
<%@taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%>
<%@ taglib prefix="sec"
    uri="http://www.springframework.org/security/tags"%>
<html>
<head>
<title>Home</title>
</head>
<body>
    <h1>
        Hello,
        <sec:authentication property="principal" />!
    </h1>
    <c:set var="username">
        <sec:authentication property="principal" />
    </c:set>
    <p style="color:#ff0000">${message}</p>

    <c:if test="${username != 'anonymousUser'}">
        <form method="POST" action="j_spring_security_logout">
            <input type="submit" value="log out">
        </form>
        <jsp:include page="WEB-INF/views/menu.jsp" flush="true" />
    </c:if>
    <form method="POST" action="<c:url value="/j_spring_security_check" />" <c:if test="${username != 'anonymousUser'}">hidden="true"</c:if>>
        <table>
            <tr>
                <td align="right">login</td>
                <td><input type="text" name="j_username" id="login"
                    onkeyup="validate()" /></td>
            </tr>
            <tr>
                <td align="right">password</td>
                <td><input type="password" name="j_password" id ="passwordId" onkeyup="validate()" /></td>
            </tr>
            <tr>
                <td align="right">remember me</td>
                <td><input type="checkbox" name="_spring_security_remember_me" /></td>
            </tr>
            <tr>
                <td colspan="2" align="right"><input type="submit"
                    value="Login" id="idSubmit" disabled /> <input type="reset"
                    value="Reset" /></td>
            </tr>
        </table>
    </form>

</body>
<script type="text/javascript">
    function validate() {
        element = document.getElementById("idSubmit");
        element1 = document.getElementById("login");
        resultMatch = element1.value.match('([a-zA-Z0-9])+(_){1}([a-zA-Z0-9])+')
        if (resultMatch == null){
            element.setAttribute("disabled", "disabled");
            return
        }
        if(resultMatch[0] == element1.value && document.getElementById("passwordId").value !="" ){
            element.removeAttribute("disabled");
            return
        }
        else
            element.setAttribute("disabled", "disabled");

    }
    window.onload = "validate()";
</script>
</html>

但如果我写的话

<intercept-url pattern="/*" access="permitAll" />

效果很好。

你能帮助我吗?

2 个答案:

答案 0 :(得分:8)

<intercept-url pattern="/*" access="isAuthenticated()"/>

表示所有网址都需要进行身份验证。这包括您的登录URL。发生了什么事情,你点击一个URL,春天看到auth是必需的,所以它重定向到登录URL,但你不能访问登录URL,除非你被authed,所以它重定向到登录URL - 因此无限重定向循环。

Spring按照你定义它们的顺序评估拦截URL,所以你可以通过在catch 上面添加一行来解决它,告诉我认为auth 不是用于登录URL。您还应该在注销和登录失败后为您转发的URL添加一行,否则它只会要求您再次登录。

<intercept-url pattern="/home.jsp" access="permitAll" /> 
<intercept-url pattern="/*" access="isAuthenticated()" />

答案 1 :(得分:0)

当您具有以下配置时,注销阶段也会发生同样的情况: http.logout().logoutSuccessUrl("/logout").permitAll();原因:Spring安全性首先运行HttpSecuritygetHttp方法,初始化http对象。稍后当您通过configure(HttpSecurity http)方法自定义此对象时,实际上是覆盖了相同的字段。默认情况下,/logout用作注销网址,如果成功,则会重定向到注销成功网址。如图所示: spring security default logout procedure

但如果注销成功网址配置与/logout相同,则无限重定向循环正在等待。今天我打开了这个潘多拉盒子。

相关问题
最新问题