春季安全3.1中的多会话

时间:2014-03-05 08:52:51

标签: spring-security

我们开发了一个需要不同身份验证的Web应用程序,在我的例子中,这是代理和成员。这是详细信息:

但我在这里有一些问题。首先,我登录代理配置文件页面,并成功登录。但是然后我打开了成员页面,我得到HTTP状态403 - 访问被拒绝。我想要实现的情况是代理和成员都能够登录。

这是我的web.xml

<?xml version="1.0" encoding="UTF-8"?><web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
id="WebApp_ID" version="2.5">
<display-name>spring-security-hello-world</display-name>
<welcome-file-list>
    <welcome-file>index.html</welcome-file>
    <welcome-file>index.htm</welcome-file>
    <welcome-file>index.jsp</welcome-file>
    <welcome-file>default.html</welcome-file>
    <welcome-file>default.htm</welcome-file>
    <welcome-file>default.jsp</welcome-file>
</welcome-file-list>

<servlet>
    <servlet-name>mvc-dispatcher</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>mvc-dispatcher</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/mvc-dispatcher-servlet.xml,
        /WEB-INF/spring-security.xml
    </param-value>
</context-param>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

这是我的spring-security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">

<!-- <http pattern="/agent/login" security="none" /> -->

<http pattern="/member/**">
    <intercept-url pattern="/**" access="ROLE_MEMBER" />
    <form-login login-page="/member_login" default-target-url="/member/profile"
        authentication-failure-url="/member_loginfailed" />
    <logout logout-success-url="/member_logout" />
</http>

<http auto-config="true">
    <intercept-url pattern="/agent/**" access="ROLE_AGENT" />
    <form-login login-page="/agent_login" default-target-url="/agent/profile"
        authentication-failure-url="/agent_loginfailed" />
    <logout logout-success-url="/agent_logout" />
</http>

<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="agent" password="123456" authorities="ROLE_AGENT" />
        </user-service>
    </authentication-provider>

    <authentication-provider>
        <user-service>
            <user name="member" password="123456" authorities="ROLE_MEMBER" />
        </user-service>
    </authentication-provider>
</authentication-manager>

注意: 在我的情况下,一个用户必须只有一个角色(代理或成员)

1 个答案:

答案 0 :(得分:0)

如果您在同一浏览器中执行此操作,则使用具有ROLE_AGENT的代理来访问仅限于ROLE_MEMBER的页面。您可以将ROLE_MEMBER添加到您的access =“ROLE_AGENT,ROLE_MEMBER”进行检查。