我正在尝试学习Spring安全性,所以我已经下载了一些示例项目,然后我尝试将该解决方案实现到我的项目中。但是当我尝试提交登录表单时,我总是得到403页面,其中定义了的applicationContext-security.xml文件。但我预计无效用户名/密码的'authentication-failure-url'或正确用户名/密码的'default-target-url'而不是'access-denied-handler'/ forbidden(我的403页)。如果有经验丰富的人可以帮助我,我会非常感激。 应用security.xml文件
<security:http security="none" pattern="/public/**"/>
<security:http security="none" pattern="/login*"/>
<security:http security="none" pattern="/maxSessionError*"/>
<security:http security="none" pattern="/forbidden*"/>
<security:http use-expressions="true">
<security:intercept-url pattern="/**" access="isAuthenticated()"/>
<security:form-login login-page="/login"
default-target-url="/home"
authentication-failure-url="/login"
authentication-success-handler-ref="loginSuccessHandler"
/>
<security:logout invalidate-session="true" delete-cookies="true" success-handler-ref="logoutSuccessHandler" />
<security:access-denied-handler error-page="/forbidden"/>
<security:session-management session-fixation-protection="newSession" >
<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="false" expired-url="/maxSessionError" />
</security:session-management>
<security:custom-filter ref="xunxiSecurityInterceptor" before="FILTER_SECURITY_INTERCEPTOR" />
</security:http>
的login.jsp
<form action="<%=request.getContextPath()%>/j_spring_security_check" method="post" class="login-form" id="login-form" >
<label>Username</label>
<input type="text" placeholder="username" name="j_username"/>
<label>Password</label>
<input type="password" placeholder="password" name="j_password"/>
<label>
<input type="checkbox" name="_spring_security_remember_me" /> Remember me </label>
<button type="submit" >
Login
</button>
</div>
</form>
答案 0 :(得分:5)
您编写的Spring Security版本是4.0.2,但您的JSP似乎是为Spring Security 3编写的。Migrate您的JSP:
将登录处理URL(表单操作)更改为/login
。
将输入名称更改为username
和password
。
为CSRF保护添加输入元素:<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
。默认情况下,Spring Security 4启用CSRF保护。