我正在使用Spring Security和Spring MVC。我之前已经使用Struts2成功配置了Spring安全性。但我是第一次使用Spring MVC。我也是Spring MVC的全新手。
这就是我想要的:
1)我有一个静态页面,由Apache提供
2)在静态页面上,我有一些指向tomcat托管的页面的链接,可以通过spring MVC URL访问。
3)在步骤2中显示的其中一个页面上,将有一个链接,用户将登录页面再次托管在tomcat上。
以下是我的春季安全配置:
<http use-expressions="true">
<intercept-url pattern="/login/show/" access="permitAll()"></intercept-url>
<intercept-url pattern="/sales/**" access="permitAll()"></intercept-url>
<intercept-url pattern="/items/**" access="permitAll()"></intercept-url>
<intercept-url pattern="/images/**" access="permitAll()"></intercept-url>
<intercept-url pattern="/js/**" access="permitAll()"></intercept-url>
<intercept-url pattern="/css/**" access="permitAll()"></intercept-url>
<intercept-url pattern="/favicon.ico" access="hasRole('ROLE_ANONYMOUS')" />
<form-login login-page="/login/show/" always-use-default-target="true"
default-target-url="/login/success/" authentication-failure-url="/login/show/"
login-processing-url="/login/" password-parameter="userPassword"
username-parameter="userId" />
<logout logout-success-url="http://mysales.com" logout-url="/sales/" delete-cookies="JSESSIONID" invalidate-session="true"></logout>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="securityService" />
</authentication-manager>
<beans:bean id="securityService"
class="com.pricer.service.security.SecurityService">
<beans:property name="authDAO" ref="authDAO"></beans:property>
</beans:bean>
<beans:bean id="messageSource"
class="org.springframework.context.support.ResourceBundleMessageSource">
<beans:property name="basenames">
<beans:list>
<beans:value>securitymessages</beans:value>
</beans:list>
</beans:property>
</beans:bean>
4)当我点击mysales.com时,会显示步骤1中的静态页面,其中包含显示所有销售的链接。我把它作为
<div> bold;font-size: 20px;text-align: center;">
<a href="/mysales/sales/">Sales</a>
</div>
5)当用户点击&#34;销售&#34;它应该触发Spring MVC URL,该URL通过spring spring安全过滤器并显示一个页面,其中包含有关销售的信息和链接到登录页面
当我点击&#34;销售&#34;链接我再次被重定向到主页,即mysales.com 这是我在tomcat应用程序日志中得到的内容:
2014-05-21 03:37:58.279 [DEBUG] org.springframework.security.web.FilterChainProxy:337 - /sales/ at position 1 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2014-05-21 03:37:58.280 [DEBUG] org.springframework.security.web.context.HttpSessionSecurityContextRepository:127 - No HttpSession currently exists
2014-05-21 03:37:58.280 [DEBUG] org.springframework.security.web.context.HttpSessionSecurityContextRepository:85 - No SecurityContext was available from the HttpSession: null. A new one will be created.
2014-05-21 03:37:58.280 [DEBUG] org.springframework.security.web.FilterChainProxy:337 - /sales/ at position 2 of 9 in additional filter chain; firing Filter: 'LogoutFilter'
2014-05-21 03:37:58.280 [DEBUG] org.springframework.security.web.authentication.logout.LogoutFilter:93 - Logging out user 'null' and transferring to logout destination
2014-05-21 03:37:58.282 [DEBUG] org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler:107 - Using default Url: http://mysales.com
2014-05-21 03:37:58.283 [DEBUG] org.springframework.security.web.DefaultRedirectStrategy:36 - Redirecting to 'http://mysales.com'
2014-05-21 03:37:58.283 [DEBUG] org.springframework.security.web.context.HttpSessionSecurityContextRepository:269 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2014-05-21 03:37:58.283 [DEBUG] org.springframework.security.web.context.SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed
6)但是当我尝试直接访问图像时,访问完全正常(即如果我访问mysales.com/mysales/images/logo.png它工作正常并显示图像)。那为什么不通过mysales.com/mysales/sales/ url传递spring security的安全链?
答案 0 :(得分:1)
您的注销配置中有logout-url="/sales/",这意味着它将充当应用程序的注销链接,并尝试注销用户,然后将其重定向到注销成功URL。
使用此配置,将忽略此URL(或实际上是struts)的MVC处理程序。您应该将注销网址更改为更合适的网址 - 例如/logout。