我遇到弹簧安全问题并显示错误消息
这是我在root-context.xml中的内容
`<context:property-placeholder location="classpath:config.properties" />
<!-- Register the Customer.properties -->
<bean id="messageSource"
class="org.springframework.context.support.ResourceBundleMessageSource">
<property name="basename" value="mymessages" />
</bean>
<security:http auto-config='true'>
<security:intercept-URL pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-URL pattern="/**" access="ROLE_USER" />
<security:form-login login-page='/login' default-target-url="/"
authentication-failure-URL="/loginfailed"/>
<security:logout logout-success-url="/" logout-URL="/j_spring_security_logout" />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="billy" password="123456" authorities="ROLE_USER" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>`
在我的web.xml中
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<URL-pattern>/*</URL-pattern>
</filter-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
和我的.jsp是
<body>
<%@ include file="include/login1.jsp"%>
<c:if test="${not empty error}">
<div class="errorblock">Your login attempt was not successful, try again.<br/> Caused :
</div>
</c:if>
</body>
</html>
当我第一次使用错误的用户凭据登录时,它只是重新加载登录页面。然后,如果我使用正确的登录凭据登录,它将以负载登录文本“您的登录尝试未成功,请再试一次。导致:”但没有弹出消息说明原因后的凭据错误: 任何有关此事的帮助都非常感谢
答案 0 :(得分:1)
看起来您的身份验证失败的网址需要身份验证。
<security:intercept-URL pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-URL pattern="/**" access="ROLE_USER"/>
此配置仅允许未经身份验证的人员访问/ login页面,但不允许访问/ loginfailed页面。尝试将登录拦截网址更改为:
<security:intercept-URL pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-URL pattern="/**" access="ROLE_USER"/>
或者,您可以添加另一个专门调用/ loginfailed网址的拦截网址。
可能发生的情况是,您第一次尝试登录时,会将您重定向到登录失败页面“/ loginfailed”,由于身份验证失败,导致另一次重定向返回登录页面。然后,当您正确登录时,它会将您重定向回“/ loginfailed”页面,因为这是登录重定向之前的原始请求。
您可以使用另一个参数,它始终会将您发送到default-taget ...
<form-login login-page='/login' default-target-url='/'
authentication-failure-url="/loginfailed" always-use-default-target='true' />
给它一个镜头,看它是否有效。
编辑:以下是安全设置的完整示例。在这个设置中,我使用额外的http声明而不是额外的intercept-url。我的login.jsp根据login_error参数更改其内容(例如,login_error = 1使其显示一条消息,说'用户名或密码不正确',login_error = 2使其显示一条消息,说明会话已超时且请再次登录)。
<!-- No security on js,css,image and other static resources -->
<http pattern="/resources/**" security="none" />
<!-- No security on error pages -->
<http pattern="/error/**" security="none" />
<!-- No security on pages starting with login -->
<http pattern="/login*" security="none" />
<http auto-config='true'>
<!-- Everything else requires ROLE_USER -->
<intercept-url pattern="/**" access="ROLE_USER" />
<access-denied-handler error-page="/error/403"/>
<!-- Custom login page -->
<form-login login-page='/login' default-target-url='/'
authentication-failure-url="/login?login_error=1"
always-use-default-target='false' />
<!-- Allow user to stay logged in -->
<remember-me />
<!-- Custom logout page and remove the session id cookie -->
<logout logout-url='/logout' delete-cookies="JSESSIONID"/>
<session-management>
<concurrency-control max-sessions="1" error-if-maximum-exceeded="false" />
</session-management>
<!-- Custom session timeout page -->
<session-management invalid-session-url="/login?login_error=2" />
</http>
答案 1 :(得分:0)
删除此行并尝试
<security:intercept-URL pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
和
auto-config='true'
只有在手动配置服务时才需要它。可能是工作