我正在尝试了解Spring-security但我的页面可以在没有登录的情况下访问,我不明白为什么。
“安全”页面位于WEB-INF / pages / secure中,可使用http://localhost:8080/secret访问。
/安全地图
@Controller
public class HelloWorld {
...
@RequestMapping("/secret")
public String showSecret(ModelMap model) {
return "secure/secretPage";
}
}
的web.xml
...
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext-security.xml
/WEB-INF/springmvc-config.xml
</param-value>
</context-param>
...
的applicationContext-security.xml文件
<http auto-config="true">
<form-login login-processing-url="/j_spring_security_check"
login-page="/login"
authentication-failure-url="/login?login_error=t"/>
<logout logout-url="/j_spring_security_logout"/>
<intercept-url pattern="/pages/secure/**" access="IS_AUTHENTICATED_FULLY" requires-channel="https"/>
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userAccountDetailsService"/>
</authentication-manager>
userAccountDetailsService
@Service("userAccountDetailsService") // enables component to be found to <component-scan/>
public class UserAccountDetailsService implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
throw new UsernameNotFoundException("Could not find user");
}
}
/ login页面当前不存在。反正没有用户。我只想暂时禁止访问。
答案 0 :(得分:0)
您要访问的网址是/secure,而不是/pages/secure,但在Spring Security配置中,您正在保护/pages/secure/**而不是/secure/**。将拦截网址从/pages/secure/**更改为/secure/**,然后重试。