Question

我使用spring-security来管理我的spring-mvc项目中的用户身份验证，但现在我发现当我输入错误的用户名或密码并登录时，它会显示 HTTP状态401，身份验证下面列出的我的网络浏览器上的“凭据错误页面已失败”。但是我在spring-security.xml文件中配置了authentication-failure-url，但它不起作用，我不知道为什么。任何人都可以帮助我吗？

这是浏览器显示的错误页面：

这是我的spring-security.xml配置代码：

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <security:http pattern="/interface/**" security="none"/>
    <security:http pattern="/forward.html" security="none"/>
    <security:http pattern="/js/**" security="none"/>
    <security:http pattern="/css/**" security="none"/>
    <security:http pattern="/images/**" security="none"/>
    <security:http pattern="/file/**" security="none"/>
    <security:http pattern="/favicon.ico" security="none"/>
    <security:http pattern="/login**" security="none" />

    <security:http auto-config="true" access-denied-page="/accessDenied" use-expressions="true">


        <security:intercept-url pattern="/login**" access="isAnonymous()" /> -->
        <security:intercept-url pattern="/common/exceptionInfo.jsp" access="isAnonymous()" />


        <security:intercept-url pattern="/**" access="isFullyAuthenticated()" /> 

        <security:session-management  session-authentication-error-url="/login" invalid-session-url="/login">
          <security:concurrency-control session-registry-ref="sessionRegistry" expired-url="/login"/>
        </security:session-management>

        <security:custom-filter before="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
        <security:custom-filter before="FORM_LOGIN_FILTER" ref="authFilter" />


        <security:custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="securityFilter"/>

        <security:form-login login-page="/login" authentication-failure-url="/login?failure" 
             authentication-details-source-ref="customAuthenticationDetailsSource"
             authentication-success-handler-ref="customAuthenticationSuccessHandler"/>

        <security:logout invalidate-session="true" logout-url="/logout" success-handler-ref="customLogoutSuccessHandler"/> 

    </security:http>


    <security:authentication-manager alias="authenticationManager">
       <security:authentication-provider ref="customAuthenticationProvider"/>
    </security:authentication-manager>


    <bean id="customUserDetailsService" class="com.lucumt.security.CustomUserDetailsService"/>

    <bean id="customAuthenticationProvider" class="com.lucumt.security.CustomAuthenticationProvider">
      <property name="userDetailsService" ref="customUserDetailsService"/>
    </bean>

    <bean id="customAuthenticationDetailsSource" class="com.lucumt.security.CustomAuthenticationDetailsSource"/>


    <bean id="customAuthenticationSuccessHandler" class="com.lucumt.security.CustomAuthenticationSuccessHandler">
      <property name="defaultTargetUrl" value="/home"/>
    </bean>


    <bean id="customLogoutSuccessHandler" class="com.lucumt.security.CustomLogoutSuccessHandler">
      <property name="defaultTargetUrl" value="/login"/>
    </bean>

    <bean id="securityFilter" class="com.lucumt.security.CustomFilterSecurityInterceptor">

      <property name="authenticationManager" ref="authenticationManager"/>
      <property name="accessDecisionManager" ref="accessDecisionManager"/>
      <property name="securityMetadataSource" ref="securityMetadataSource"/>
    </bean>

    <bean id="accessDecisionManager" class="com.lucumt.security.CustomAccessDecisionManager"/>


    <bean id="securityMetadataSource" class="com.lucumt.security.CustomInvocationSecurityMetadataSource">
      <constructor-arg ref="authorityDao"/>
    </bean>

  <bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
    <property name="sessionRegistry" ref="sessionRegistry" />
    <property name="expiredUrl" value="/login?times" />
  </bean>

  <bean id="authFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
    <property name="sessionAuthenticationStrategy" ref="sessionStrategy" />
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="authenticationDetailsSource" ref="customAuthenticationDetailsSource"/>
    <property name="authenticationSuccessHandler" ref="customAuthenticationSuccessHandler"/>
  </bean>

    <bean id="sessionStrategy" class="com.lucumt.security.CustomConcurrentSessionControlStrategy">
      <constructor-arg ref="sessionRegistry"/>
    </bean>

    <bean id="authorityDao" class="com.lucumt.dao.impl.AuthorityDaoImpl"/>

    <bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/>

</beans>

如您所见，我已将authentication-failure-url配置如下，但它不起作用！

<security:form-login login-page="/login" authentication-failure-url="/login?failure" 
     authentication-details-source-ref="customAuthenticationDetailsSource"
     authentication-success-handler-ref="customAuthenticationSuccessHandler"/>

但是，如果我删除session-management配置如下，则authentication-failure-url将有效！

<security:session-management  session-authentication-error-url="/login" invalid-session-url="/login">
  <security:concurrency-control session-registry-ref="sessionRegistry" expired-url="/login"/>
</security:session-management>

<security:custom-filter before="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
<security:custom-filter before="FORM_LOGIN_FILTER" ref="authFilter" />

我添加session-management的原因是我想限制可以通过Java代码同时登录的用户数。

既然我想坚持session-management并想要authentication-failure-url工作，那么有人可以帮助我吗？提前致谢！

Answer 1

将它放在Dispatcher-servlet.xml

中

  <bean
        class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver">
        <property name="exceptionMappings">
            <props>
                <prop key="java.lang.Exception">login/login</prop>
            </props>
        </property>
    </bean>

完全解决你的问题。

Spring Security身份验证失败页面不起作用

1 个答案: