使用自定义表单的Spring-security - 身份验证不起作用

时间:2016-10-02 20:04:05

标签: java spring spring-mvc authentication spring-security

我正在尝试使用Spring-Security 4.0.2.RELEASE实现自定义登录以进行身份​​验证和自动化。我正在使用xml配置。

这是我的web.xml

<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
    http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

    <display-name>Authorization with Spring security</display-name>

    <servlet>
        <servlet-name>dispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>dispatcher</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

    <!-- Spring Security -->
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/spring-security.xml
        </param-value>
    </context-param>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <listener>
        <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
    </listener>

</web-app>

这是我的spring-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security.xsd">

    <http auto-config="true">
        <intercept-url pattern="/admin*" access="hasRole('ROLE_ADMIN')"/>
        <intercept-url pattern="/member*" access="hasAnyRole('ROLE_MEMBER','ROLE_ADMIN')" />

        <form-login 
        login-page="/login"
        authentication-failure-url="/login?error"/>

        <logout invalidate-session="true"/>
        <csrf/>
    </http>

    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="admin" password="admin" authorities="ROLE_ADMIN" />
                <user name="member" password="member" authorities="ROLE_MEMBER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>
</beans:beans>

这是我使用Bootstrap构建的login.jsp:

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>LOGIN - PAOLO</title>

<!-- Latest compiled and minified CSS -->
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">

<!-- Optional theme -->
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap-theme.min.css" integrity="sha384-rHyoN1iRsVXV4nD0JutlnGaslCJuC7uwjduW9SVrLvRYooPp2bWYgmgJQIXwl/Sp" crossorigin="anonymous">

<!-- Latest compiled and minified JavaScript -->
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script>

</head>
<body>

    <form>
        <div class="form-group">
            <label for="username">Username</label> <input type="text" name='j_username'
                class="form-control" id="username" placeholder="Username">
        </div>
        <div class="form-group">
            <label for="exampleInputPassword1">Password</label> <input
                type="password" name='j_password' class="form-control" id="exampleInputPassword1"
                placeholder="Password">
        </div>
        <button type="submit" class="btn btn-default">Submit</button>
    </form>
</body>
</html>

如果我从login-page="/login"中删除spring-security.xml,即使用spring security提供的默认登录表单,则身份验证正常运行:只允许admin / admin和member / member访问。如果我按下提交按钮时使用我的自定义表单,则/login?j_username=<inserted_username>&j_password=<inserted_password>的GET请求将启动。 我不明白为什么我的身份验证不适用于自定义表单。

1 个答案:

答案 0 :(得分:0)

首先,使用登录URL向您的表单标记添加一个action属性,根据您的安全xml配置它是'/ login',并使用POST值添加方法属性,因为表单是要发布的。像这样:

<form method="POST" action="/login" >

还建议在action属性中使用spring url标记,只是为了安全起见,并确保我们将填充正确的URL。

其次,您在安全配置中缺少读取用户名和密码的位置。 

<form-login login-page="/login" login-processing-url="/login" 
    username-parameter="userNameLogin" password-parameter="passwordLogin"/>

您应该将username-parameter和password-parameter属性添加到表单登录中。

在您的情况下,他们的值将是j_username和j_password。

相关问题
最新问题