Spring Security不限制访问

时间:2013-09-22 21:09:43

标签: java spring-mvc spring-security

我是Spring Security的新手并且遇到了问题。当我尝试访问预期受限制的页面时,无论如何都显示所请求的页面,没有403也没有重定向到登录页面,日志中没有错误,没有任何内容,就像完全没有实现Spring Security一样。

部署应用程序时,我在日志中看到以下内容,告诉我Spring Security至少开始了:

INFO: Checking whether login URL '/security/credentials' is accessible with your configuration

我试图将登录页面更改为受限制的页面,只是为了测试实际上是受限制的,我得到以下内容,这告诉我它正确受到限制,至少在模拟中是这样。

INFO: Checking whether login URL '/dashboard' is accessible with your configuration

org.springframework.security.config.http.DefaultFilterChainValidator checkLoginPageIsntProtected
WARNING: Anonymous access to the login page doesn't appear to be enabled. This is almost certainly an error. Please check your configuration allows unauthenticated access to the configured login page. (Simulated access was rejected: org.springframework.security.access.AccessDeniedException: Access is denied)

我有以下设置:

的web.xml     

<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee 
         http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

   <welcome-file-list>
      <welcome-file>
         index.html
      </welcome-file>
   </welcome-file-list>

   <context-param>
      <param-name>javax.servlet.jsp.jstl.fmt.localizationContext</param-name>
      <param-value>messages</param-value>
   </context-param>

   <context-param>
      <param-name>contextConfigLocation</param-name>
      <param-value>
        WEB-INF/applicationContext.xml
    </param-value>
   </context-param>

   <listener>
      <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
   </listener>

   <filter>
      <filter-name>UrlRewriteFilter</filter-name>
      <filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
      <init-param>
         <param-name>logLevel</param-name>
         <param-value>TRACE</param-value>
      </init-param>
   </filter>
   <filter-mapping>
      <filter-name>UrlRewriteFilter</filter-name>
      <url-pattern>/*</url-pattern>
      <dispatcher>REQUEST</dispatcher>
   </filter-mapping>


   <filter>
      <filter-name>springSecurityFilterChain</filter-name>
      <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
   </filter>
   <filter-mapping>
      <filter-name>springSecurityFilterChain</filter-name>
      <url-pattern>/*</url-pattern>
   </filter-mapping>

   <servlet>
      <servlet-name>spring</servlet-name>
      <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
      <init-param>
         <param-name>contextConfigLocation</param-name>
         <param-value>
            /WEB-INF/applicationContext.xml
        </param-value>
      </init-param>
      <load-on-startup>1</load-on-startup>

   </servlet>
   <servlet-mapping>
      <servlet-name>spring</servlet-name>
      <url-pattern>/app/*</url-pattern>
   </servlet-mapping>
</web-app>

Spring Security配置文件是从我的applicationContext.xml导入的。

弹簧security.xml文件

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
   xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="
      http://www.springframework.org/schema/beans
      http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
      http://www.springframework.org/schema/security
      http://www.springframework.org/schema/security/spring-security-3.1.xsd">

   <http auto-config="true" use-expressions="true">
      <form-login 
         login-page="/security/credentials"
         login-processing-url="/security/signin" 
         default-target-url="/dashboard"
         authentication-failure-url="/security/signin_failed" />
      <intercept-url pattern="/resources/**" access="permitAll"/>
      <intercept-url pattern="/security/**" access="permitAll" />
      <intercept-url pattern="/favicon.ico" access="permitAll"/>
      <intercept-url pattern="/**" access="denyAll"/>
      <logout logout-success-url="/security/signout" />
      <remember-me />
   </http>

   <authentication-manager alias="authenticationManager">
      <authentication-provider>
         <user-service>
            <user name="test" password="password" authorities="ROLE_USER" />
         </user-service>
      </authentication-provider>
   </authentication-manager>
</beans:beans>

2 个答案:

答案 0 :(得分:1)

Spring实际上正常运行,因为您实际上告诉Spring /security/**请求不需要身份验证(access="permitAll"):

...
<intercept-url pattern="/security/**" access="permitAll" />
...

如果您想限制只有经过身份验证的用户访问,则可以指定:

...
<intercept-url pattern="/security/**" access="isAuthenticated()" />
...

或者,如果您想限制对特定角色的访问权限(将ROLE_XXX替换为您的特定角色):

...
<intercept-url pattern="/security/**" access="hasRole('ROLE_XXX')" />
...

请注意,无法限制与登录相关的网址(原因很明显):

login-page="/security/credentials"
     login-processing-url="/security/signin" 
     default-target-url="/dashboard"
     authentication-failure-url="/security/signin_failed" />

因此,要么将其更改为以/login/而非/security/之类的内容开头,要么为每个内容添加特定的拦截网址(如果必须使用它们):

...
<intercept-url pattern="/security/credentials" access="permitAll" />
<intercept-url pattern="/security/signin" access="permitAll" />
<intercept-url pattern="/security/signin_failed" access="permitAll" />
<intercept-url pattern="/security/**" access="isAuthenticated()" />
...

应首先声明更具体的URL,因为Spring使用它从顶部找到的第一个规则。

答案 1 :(得分:0)

我建议您在删除<remember-me />标记后尝试删除,或先删除所有Cookie。 出现因为现有的cookie,您可以访问/仪表板

修改 您在Spring安全性之前配置了UrlRewriteFilter,查看为spring安全过滤器提供的最终URL,或者您可以在禁用UrlRewriteFilter后尝试?