Question

我正在开发一个Spring MVC / Spring Security应用程序。

我没有任何异常或错误，但其中一个页面上有一个重定向循环。

我正在使用Spring 3.0.1和Spring Security 3.0.1。

我的dispatcher-security.xml：

<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:security="http://www.springframework.org/schema/security"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://www.springframework.org/schema/beans
   http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
   http://www.springframework.org/schema/security
   http://www.springframework.org/schema/security/spring-security-3.0.xsd">

   <security:http auto-config="true" use-expressions="true"> 
      <security:form-login login-page="/login" default-target-url="/login" authentication-failure-url="/fail2login"/> 
      <security:logout logout-success-url="/"/> 
      <security:intercept-url pattern="/auth/**" access="hasRole('ANONYMOUS')" /> 
      <security:intercept-url pattern="/js/**" access="hasRole('ANONYMOUS')" /> 
      <security:intercept-url pattern="/css/**" access="hasRole('ANONYMOUS')" /> 
      <security:intercept-url pattern="/**" access="hasRole('ADMIN')" /> 
   </security:http>

   <security:authentication-manager>  
      <security:authentication-provider>  
         <security:jdbc-user-service data-source-ref="dataSource1"
           users-by-username-query=" select name,password,enabled from user where name=?"      
           authorities-by-username-query="select u.name, r.role from user u, role r where u.role = r.auto_id and u.name =?  "
         />
      </security:authentication-provider>  
   </security:authentication-manager>

</beans>

请帮帮我......

Answer 1

default-target-url属性定义用户在成功登录时重定向的页面。通常它是您的应用程序的主页。您有default-target-url="/login"，因此在成功登录后会将您重定向回登录页面。

我不明白你的例子中ANONYMOUS角色的含义。如果它是匿名用户的内置角色，我认为它被称为ROLE_ANONYMOUS。在这种情况下，您可能会错误地使用它，并且这两行：

<security:intercept-url pattern="/js/**" access="hasRole('ANONYMOUS')" />
<security:intercept-url pattern="/css/**" access="hasRole('ANONYMOUS')" />

应该替换为这样的东西：

<security:intercept-url pattern="/js/**" access="hasRole('ROLE_ANONYMOUS') or hasRole('ROLE_USER')" />
<security:intercept-url pattern="/css/**" access="hasRole('ROLE_ANONYMOUS') or hasRole('ROLE_USER')" />

否则，未通过身份验证的用户仅将能够访问/js/和/css/目录。

ROLE_USER不是内置角色，而是为所有经过身份验证的用户手动定义的角色。

另见：

What is the difference between ROLE_USER and ROLE_ANONYMOUS

The Spring Security Reference: Anonymous Authentication

Spring Security应用程序中的重定向循环

1 个答案: