我使用spring-security来管理我的spring-mvc项目中的用户身份验证,但现在我发现当我输入错误的用户名或密码并登录时,它会显示 HTTP状态401,身份验证下面列出的我的网络浏览器上的“凭据错误页面已失败”。但是我在spring-security.xml文件中配置了authentication-failure-url
,但它不起作用,我不知道为什么。
任何人都可以帮助我吗?
这是我的spring-security.xml配置代码:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:http pattern="/interface/**" security="none"/>
<security:http pattern="/forward.html" security="none"/>
<security:http pattern="/js/**" security="none"/>
<security:http pattern="/css/**" security="none"/>
<security:http pattern="/images/**" security="none"/>
<security:http pattern="/file/**" security="none"/>
<security:http pattern="/favicon.ico" security="none"/>
<security:http pattern="/login**" security="none" />
<security:http auto-config="true" access-denied-page="/accessDenied" use-expressions="true">
<security:intercept-url pattern="/login**" access="isAnonymous()" /> -->
<security:intercept-url pattern="/common/exceptionInfo.jsp" access="isAnonymous()" />
<security:intercept-url pattern="/**" access="isFullyAuthenticated()" />
<security:session-management session-authentication-error-url="/login" invalid-session-url="/login">
<security:concurrency-control session-registry-ref="sessionRegistry" expired-url="/login"/>
</security:session-management>
<security:custom-filter before="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
<security:custom-filter before="FORM_LOGIN_FILTER" ref="authFilter" />
<security:custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="securityFilter"/>
<security:form-login login-page="/login" authentication-failure-url="/login?failure"
authentication-details-source-ref="customAuthenticationDetailsSource"
authentication-success-handler-ref="customAuthenticationSuccessHandler"/>
<security:logout invalidate-session="true" logout-url="/logout" success-handler-ref="customLogoutSuccessHandler"/>
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="customAuthenticationProvider"/>
</security:authentication-manager>
<bean id="customUserDetailsService" class="com.lucumt.security.CustomUserDetailsService"/>
<bean id="customAuthenticationProvider" class="com.lucumt.security.CustomAuthenticationProvider">
<property name="userDetailsService" ref="customUserDetailsService"/>
</bean>
<bean id="customAuthenticationDetailsSource" class="com.lucumt.security.CustomAuthenticationDetailsSource"/>
<bean id="customAuthenticationSuccessHandler" class="com.lucumt.security.CustomAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/home"/>
</bean>
<bean id="customLogoutSuccessHandler" class="com.lucumt.security.CustomLogoutSuccessHandler">
<property name="defaultTargetUrl" value="/login"/>
</bean>
<bean id="securityFilter" class="com.lucumt.security.CustomFilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="accessDecisionManager"/>
<property name="securityMetadataSource" ref="securityMetadataSource"/>
</bean>
<bean id="accessDecisionManager" class="com.lucumt.security.CustomAccessDecisionManager"/>
<bean id="securityMetadataSource" class="com.lucumt.security.CustomInvocationSecurityMetadataSource">
<constructor-arg ref="authorityDao"/>
</bean>
<bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
<property name="sessionRegistry" ref="sessionRegistry" />
<property name="expiredUrl" value="/login?times" />
</bean>
<bean id="authFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<property name="sessionAuthenticationStrategy" ref="sessionStrategy" />
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationDetailsSource" ref="customAuthenticationDetailsSource"/>
<property name="authenticationSuccessHandler" ref="customAuthenticationSuccessHandler"/>
</bean>
<bean id="sessionStrategy" class="com.lucumt.security.CustomConcurrentSessionControlStrategy">
<constructor-arg ref="sessionRegistry"/>
</bean>
<bean id="authorityDao" class="com.lucumt.dao.impl.AuthorityDaoImpl"/>
<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/>
</beans>
如您所见,我已将authentication-failure-url
配置如下,但它不起作用!
<security:form-login login-page="/login" authentication-failure-url="/login?failure"
authentication-details-source-ref="customAuthenticationDetailsSource"
authentication-success-handler-ref="customAuthenticationSuccessHandler"/>
但是,如果我删除session-management
配置如下,则authentication-failure-url
将有效!
<security:session-management session-authentication-error-url="/login" invalid-session-url="/login">
<security:concurrency-control session-registry-ref="sessionRegistry" expired-url="/login"/>
</security:session-management>
<security:custom-filter before="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
<security:custom-filter before="FORM_LOGIN_FILTER" ref="authFilter" />
我添加session-management
的原因是我想限制可以通过Java代码同时登录的用户数。
既然我想坚持session-management
并想要authentication-failure-url
工作,那么有人可以帮助我吗?提前致谢!
答案 0 :(得分:0)
将它放在Dispatcher-servlet.xml
中 <bean
class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver">
<property name="exceptionMappings">
<props>
<prop key="java.lang.Exception">login/login</prop>
</props>
</property>
</bean>
完全解决你的问题。