我使用migration guide从Spring Security 3.2.5升级到4.0.4。
我的UserDetailsService
看起来像这样:
package com.me.security;
import org.springframework.security.core.userdetails.UserDetailsService;
public class Users implements UserDetailsService {
public Users() {
System.err.println("USERS CONSTRUCTOR");
}
@Override
public UserDetail loadUserByUsername(String name) {
System.err.println("LOAD BY USER NAME " + name);
throw new UsernameNotFoundException("User not found.");
}
}
我的WEB-INF/applicationContext.xml
有这个:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<security:http disable-url-rewriting="true" use-expressions="false">
<security:intercept-url pattern="/auth/**" access="ROLE_ANONYMOUS"/>
<security:intercept-url pattern="/dashboard/**" access="ROLE_ADMIN,ROLE_USER"/>
<!-- ...more intercept-urls... -->
<security:access-denied-handler error-page="/pages/general/403.xhtml"/>
<security:form-login login-page="/auth/login.html"
username-parameter="j_username"
password-parameter="j_password"
login-processing-url="/j_spring_security_check"
default-target-url="/dashboard/"
authentication-failure-url="/auth/error.html"/>
<security:logout logout-success-url="/auth/login.html"
logout-url="/auth/login.html"
delete-cookies="JSESSIONID"
invalidate-session="true" />
<security:session-management invalid-session-url="/auth/login.html"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider user-service-ref='userDetailsService'/>
</security:authentication-manager>
<bean id="userDetailsService" class="com.me.security.Users"/>
</beans>
当我尝试登录时,我的代码不会被调用。我确实在服务器日志中看到了来自Users构造函数的消息,但没有看到来自loadUserByUsername方法的消息。
相反,无论我输入什么用户名和密码,我都会进入403错误页面。
(也许我已经看了太久了......)
为什么Spring没有调用我的UserDetailsService,我需要什么才能让它工作?
答案 0 :(得分:4)
听起来是csrf过滤器。在Spring Security 4.x中,它默认激活:Migrating from Spring Security 3.x to 4.x。如果你总是得到HTTP 403,这可能会有问题。
尝试禁用在security:http元素中设置此内容:
<csrf disabled="true"/>