我有一个webapp,我已经将Java配置用于Spring安全性。问题是如果我没有明确指定/j_spring_security_check
作为登录处理URL,它将失败。我最终在日志中得到以下内容:
DEBUG: [Aug-02 17:16:10,907] security.web.FilterChainProxy - /j_spring_security_check at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG: [Aug-02 17:16:10,907] security.web.FilterChainProxy - /j_spring_security_check at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG: [Aug-02 17:16:10,907] security.web.FilterChainProxy - /j_spring_security_check at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG: [Aug-02 17:16:10,907] util.matcher.AntPathRequestMatcher - Checking match of request : '/j_spring_security_check'; against '/login.html'
DEBUG: [Aug-02 17:16:10,907] util.matcher.AntPathRequestMatcher - Checking match of request : '/j_spring_security_check'; against '/auth-failure.html'
DEBUG: [Aug-02 17:16:10,907] util.matcher.AntPathRequestMatcher - Checking match of request : '/j_spring_security_check'; against '/favicon.ico'
DEBUG: [Aug-02 17:16:10,907] util.matcher.AntPathRequestMatcher - Checking match of request : '/j_spring_security_check'; against '/css/**'
DEBUG: [Aug-02 17:16:10,907] util.matcher.AntPathRequestMatcher - Checking match of request : '/j_spring_security_check'; against '/js/**'
DEBUG: [Aug-02 17:16:10,907] util.matcher.AntPathRequestMatcher - Checking match of request : '/j_spring_security_check'; against '/img/**'
DEBUG: [Aug-02 17:16:10,907] util.matcher.AntPathRequestMatcher - Checking match of request : '/j_spring_security_check'; against '/reader/**'
DEBUG: [Aug-02 17:16:10,907] util.matcher.AntPathRequestMatcher - Checking match of request : '/j_spring_security_check'; against '/script/read/**'
DEBUG: [Aug-02 17:16:10,907] util.matcher.AntPathRequestMatcher - Checking match of request : '/j_spring_security_check'; against '/mobile/**'
DEBUG: [Aug-02 17:16:10,907] util.matcher.AntPathRequestMatcher - Request '/j_spring_security_check' matched by universal pattern '/**'
DEBUG: [Aug-02 17:16:10,907] access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /j_spring_security_check; Attributes: [hasRole('ROLE_USER')]
DEBUG: [Aug-02 17:16:10,907] access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8dbd0: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffdaa08: RemoteIpAddress: 127.0.0.1; SessionId: 715AFC0DB28725B1A882DF649173A566; Granted Authorities: ROLE_ANONYMOUS
DEBUG: [Aug-02 17:16:10,907] access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@329b7920, returned: -1
DEBUG: [Aug-02 17:16:10,907] web.access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
正如您所看到的,它根本无法与/j_spring_security_check
匹配,因此它表示访问被拒绝并重定向回登录页面。但是,如果我明确添加/j_spring_security_check
,请执行以下操作:
http.formLogin()
.loginProcessingUrl("/j_spring_security_check")
...
...
有效。这对我来说似乎不对,因为我从来没有在基于XML的配置中执行此操作。此外,我也没有在任何一个例子中看到这一点。我做错了什么?
我的安全配置类如下:
@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
public void configure(AuthenticationManagerBuilder builder) throws Exception {
builder.userDetailsService(new CustomUserDetailsService()).passwordEncoder(new PlaintextPasswordEncoder()); //plaintext is on purpose; this is a toy app
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable() // toy app so I'm just trying to get this to work
.authorizeRequests()
.antMatchers(
"/login.html",
"/auth-failure.html",
"/favicon.ico",
"/css/**",
"/js/**",
"/img/**",
"/reader/**",
"/script/read/**",
"/mobile/**").permitAll()
.antMatchers("/**").hasRole("USER")
.anyRequest().authenticated();
http.formLogin()
.loginProcessingUrl("/j_spring_security_check")
.loginPage("/login.html")
.defaultSuccessUrl("/editor/")
.failureUrl("/auth-failure.html");
}
}
答案 0 :(得分:1)
出于安全原因,Java配置和基于XML的配置具有不同的默认URL。有关详细信息,请参阅here。
它说:
POST /login authenticates the user instead of /j_spring_security_check