Question

我有非常奇怪的弹簧安全行为。

安全配置：

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.1.xsd">
   <http use-expressions="true" >   

        <intercept-url pattern="/home.jsp" access="permitAll" /> 

        <intercept-url pattern="/*" access="isAuthenticated()"/> 


        <form-login login-page="/"
            authentication-failure-url="/loginFailed" default-target-url="/index" />
        <logout logout-success-url="/logOut" />
    </http>
    <authentication-manager>
        <authentication-provider ref="provider" /> 
    </authentication-manager>

</beans:beans>

控制器：

@Controller
public class HomeController {

  @RequestMapping("/index")
public String success(Model model) {
    System.out.println("/index");
    return "index";
}
@RequestMapping(value="/loginFailed", method = RequestMethod.GET )
public String loginError(Model model, RedirectAttributes redirectAttributes ) throws Exception {
    redirectAttributes.addAttribute("message", "incorrect combination of login and password");
    System.out.println("/loginFailed");
    return "redirect:home.jsp";
}

@RequestMapping(value="/logOut", method = RequestMethod.GET )
public String logOut(Model model, RedirectAttributes redirectAttributes) throws Exception {
    redirectAttributes.addAttribute("message", "success logout");
    System.out.println("/logOut");
    return "redirect:home.jsp";
}
    ...
}

如果在网址http://localhost:8080/ui/（根应用程序网址）上输入

第一项活动：

1输入正确的密码 - ＆gt;我在日志中http://localhost:8080/ui/index看到/index isAuthenttificated() == true

2按logOut - ＆gt; http://localhost:8080/ui/并且日志为空isAuthenttificated() == false

3输入正确的密码 - ＆gt; http://localhost:8080/ui/home.jsp?message=success+logout我在控制台/logOut

中看到了isAuthenttificated() == true

4按logOut - ＆gt;转到http://localhost:8080/ui/，日志为空isAuthenttificated() == false

5输入正确的密码 - ＆gt;转到http://localhost:8080/ui/，日志为空isAuthenttificated() == false

我不明白弹簧安全性选择使用哪个控制器的规则。

我认为spring会调用正确的servlet但使用错误的url。

Answer 1

我注意到您可能忘记添加以下配置

    <intercept-url pattern="/loginFailed" access="permitAll" /> 
    <intercept-url pattern="/" access="permitAll" />

或者至少所有与登录/错误页面相关的页面通常都应该免于认证。

春天的安全。令人难以置信的行为

1 个答案: