Spring Servlet和Spring安全过滤器链Url Patterns

时间:2015-06-20 16:09:21

标签: spring spring-security sitemesh

我在使用spring security的j_spring_security_check和j_spring_security_logout重新编写这些404消息时遇到了很多麻烦。我相信SpringServlet Url-Pattern,springSecurityFilterChain Url-Pattern和/或sitemesh之间可能存在一些冲突。

这是我的web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
    version="3.1">

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/spring/applicationContext.xml</param-value>
    </context-param>

    <servlet>
        <servlet-name>springServlet</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>

        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>/WEB-INF/spring/spring-servlet.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>springServlet</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <filter>
        <filter-name>sitemesh</filter-name>
        <filter-class>org.sitemesh.config.ConfigurableSiteMeshFilter</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>sitemesh</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

</web-app>

我的ApplicationContext(包括spring-security部分):

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc"
    xmlns:tx="http://www.springframework.org/schema/tx" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:security="http://www.springframework.org/schema/security"

    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
                            http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd
                            http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-4.0.xsd
                            http://www.springframework.org/schema/tx  http://www.springframework.org/schema/tx/spring-tx-4.0.xsd
                            http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
                            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">

    <context:component-scan base-package="com.xpto.portal" />
    <tx:annotation-driven transaction-manager="txManager" />
    <mvc:annotation-driven />

    <bean id="handlerMapping" class="org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping">
        <property name="order" value="1" />
    </bean>

    <security:http auto-config="true" use-expressions="true">
        <security:intercept-url pattern="/" access="hasRole('ROLE_USER')" />
        <security:intercept-url pattern="/logout" access="permitAll" />
        <security:logout logout-url="/logout"/> 
    </security:http>

    <!-- Declare an authentication-manager to use a custom userDetailsService -->
    <security:authentication-manager>
        <security:authentication-provider user-service-ref="userDetailsService">
            <security:password-encoder ref="passwordEncoder" />
        </security:authentication-provider>
    </security:authentication-manager>

    <bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder" />

    <security:user-service id="userDetailsService">
        <security:user name="john" password="21232f297a57a5a743894a0e4a801fc3" authorities="ROLE_USER, ROLE_ADMIN" />
        <security:user name="jane" password="ee11cbb19052e40b07aac0ca060c23ee" authorities="ROLE_USER" />
    </security:user-service>


    <bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
        <property name="basename" value="classpath:messages">
        </property>
        <property name="defaultEncoding" value="UTF-8">
        </property>
    </bean>

    <bean id="localeChangeInterceptor" class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
        <property name="paramName" value="lang">
        </property>
    </bean>

    <bean id="localeResolver" class="org.springframework.web.servlet.i18n.CookieLocaleResolver">
        <property name="defaultLocale" value="pt">
        </property>
    </bean>
</beans>

一个基本的主页Controller,它返回一个带有sitemesh的视图:

@Controller
@RequestMapping(value = "/")
public class HomeController {

    @RequestMapping(method=RequestMethod.GET)
    public String index()
    {
        return "home/index";
    }
}

这适用于登录。如果我访问localhost / portal,我将被重定向到spring的默认登录页面,然后将我重定向到“/”。问题是这里的URL:

<a href="<c:url value="/logout" />">Logout</a>

生成404并出现此错误:

17:06:43,457 WARN [org.springframework.web.servlet.PageNotFound](默认任务-27)在DispatcherServlet中找不到名为'springServlet'的带有URI [/ Portal / logout]的HTTP请求的映射

这与我更改logout-url相同。

我怀疑过滤器和弹簧servlet之间存在一些不兼容的问题,但我很遗憾。

你可以帮忙吗?

我正在使用spring-security 4.0.1

谢谢!

2 个答案:

答案 0 :(得分:0)

更改退出。 像这样的东西。

<a href='<c:url value="/j_spring_security_logout" />'>

答案 1 :(得分:0)

我只需要使用表单来执行注销。像这样:

<c:url var="logoutUrl" value="/logout"/>
<form action="${logoutUrl}" method="post">
  <input type="submit" value="Log out" />
  <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>

这是因为默认情况下启用了spring-security的CSRF,并且必须通过POST使用CSRF令牌执行注销。