Spring MVC：当用户尝试访问安全资源时重定向到登录

Question

• 我正在开发一个Spring-MVC应用程序，我在其中发送电子邮件 其中包含试图进行的@RequestMapping的链接 访问ROLE_USER下的资源。

  • 问题是，我想将用户重定向到登录页面/ login 直接，如果他/她试图访问任何安全资源。我试过了 搜索类似的东西，但无法找到任何完全匹配。我是 粘贴我的security-application-context.xml。请看看。

  <!-- Global Security settings -->
  <security:global-method-security pre-post-annotations="enabled" />
  <security:http pattern="/resources/**" security="none"/>
  
  <security:http create-session="ifRequired" use-expressions="true" auto-config="true" disable-url-rewriting="true">
      <security:form-login login-page="/login" default-target-url="/canvas/list" always-use-default-target="false" authentication-failure-url="/denied.jsp"  />
      <security:remember-me key="_spring_security_remember_me" user-service-ref="userDetailsService" token-validity-seconds="1209600" data-source-ref="dataSource"/>
      <security:logout delete-cookies="JSESSIONID" invalidate-session="true" logout-url="/j_spring_security_logout"/>
      <security:access-denied-handler error-page="/login"/>
  
  <security:port-mappings>
      <security:port-mapping http="80" https="443"/>
  </security:port-mappings>
      <security:session-management invalid-session-url="/login"/>
  </security:http>
  
  <!-- queries to be run on data -->
  <beans:bean id="rememberMeAuthenticationProvider" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
      <beans:property name="key" value="_spring_security_remember_me" />
      <beans:property name="tokenRepository" ref="jdbcTokenRepository"/>
      <beans:property name="userDetailsService" ref="LoginServiceImpl"/>
  </beans:bean>
  
  <!--Database management for remember-me -->
  <beans:bean id="jdbcTokenRepository"
              class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl">
      <beans:property name="createTableOnStartup" value="false"/>
      <beans:property name="dataSource" ref="dataSource" />
  </beans:bean>
  
  <!-- Remember me ends here -->
  <security:authentication-manager alias="authenticationManager">
      <security:authentication-provider user-service-ref="LoginServiceImpl">
         <security:password-encoder  ref="encoder"/>
      </security:authentication-provider>
  </security:authentication-manager>
  
  <beans:bean id="encoder"
              class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
      <beans:constructor-arg name="strength" value="11" />
  </beans:bean>
  
  <beans:bean id="daoAuthenticationProvider"
              class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
              <beans:property name="userDetailsService" ref="LoginServiceImpl"/>
             <beans:property name="passwordEncoder" ref="encoder"/>
  </beans:bean>
  

任何帮助都会很好。非常感谢。 ： - ）

Answer 1

您需要在<intercept-url>中提供<security-http>元素。现在春天的安全并没有保护任何网址。

您还需要在配置中添加<session-management>并指定invalid-session-url属性。

试着看一下spring文档：

<intercept-url> info

<session-management> info

当用户尝试访问安全资源时，应将其重定向到登录页面。