我已经采用了一个现有项目,我需要从春季3升级到春季4,但升级后我无法再进行身份验证。它返回403 Forbidden,我注意到不再调用spring的UserDetailsService接口的NetworkUserDetailsService.loadUserByUsername()实现来进行身份验证。失败时,浏览器将重定向到/ j_spring_security_check。这是Java 8升级工作的一部分,我们仍在Tomcat 7(基础架构要求)中运行。我希望我已经包含了足够的信息供某人发现问题。谢谢你的帮助!
这是我的spring-security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns="http://www.springframework.org/schema/beans"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<sec:global-method-security proxy-target-class="true" pre-post-annotations="enabled"/>
<sec:authentication-manager>
<sec:authentication-provider ref="daoAuthenticationProvider"/>
</sec:authentication-manager>
<bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<bean id="networkUserDetailsService" class="com.xxxxxx.xxxx.tools.base.service.NetworkUserDetailsService"/>
<bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="networkUserDetailsService"/>
<property name="passwordEncoder" ref="passwordEncoder"/>
</bean>
<sec:http pattern="/api/version" security="none"/>
<sec:http pattern="/admin/**" security="none"/>
<sec:http pattern="/css/**" security="none"/>
<sec:http pattern="/js/**" security="none"/>
<sec:http pattern="/images/**" security="none"/>
<sec:http pattern="/login*" security="none"/>
<sec:http auto-config="true" use-expressions="true">
<!-- Login pages -->
<sec:form-login login-page="/login.html" default-target-url="/welcome.html" always-use-default-target="true"
authentication-failure-url="/login-error.html"/>
<sec:logout/>
<!-- Security zones -->
<sec:intercept-url pattern="/**" access="isAuthenticated()"/>
</sec:http>
我的web.xml:
<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee"
version="3.0"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_2.xsd"
metadata-complete="false">
<display-name>Web Application</display-name>
<resource-ref>
<description>Data Source</description>
<res-ref-name>jdbc/admin</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
<error-page>
<location>/error</location>
</error-page>
<env-entry>
<env-entry-name>appName</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value>admin</env-entry-value>
</env-entry>
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method-omission>GET</http-method-omission>
<http-method-omission>POST</http-method-omission>
<http-method-omission>HEAD</http-method-omission>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
登录表单(不注意Thymeleaf标签):
<form class="form-signin" th:action="@{/j_spring_security_check}" method="post">
<h2 class="form-signin-heading" th:text="#{admin.login}">Please sign in</h2>
<p th:if="${loginError}" th:text="#{admin.denied.header}" class="error alert alert-danger">Wrong user or
password</p>
<input type="text" class="form-control" placeholder="User name" id="j_username" name="j_username"
required="required" autofocus="autofocus"/>
<input type="password" class="form-control" placeholder="Password" required="required" id="j_password"
name="j_password"/> <br/>
<button class="btn btn-lg btn-primary btn-block" type="submit" th:text="#{admin.login}">Sign in</button>
</form>
在服务器启动期间,springSecurityFilterChain正在代码中初始化:
private void addSpringSecurityFilter() {
final DelegatingFilterProxy filter = new DelegatingFilterProxy("springSecurityFilterChain", applicationContext);
final FilterRegistration.Dynamic filterChainReg = servletContext.addFilter("springSecurityFilterChain", filter);
filterChainReg.addMappingForUrlPatterns(null, true, "/*");
}