在运行

时间:2017-01-11 21:20:18

标签: java spring spring-security thymeleaf

我在spring-security 4.1.3中扩展WebSecurityConfigurerAdapter以登录我的网站。这是我的配置方法

@Override
protected void configure(HttpSecurity http) throws Exception {
    SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
    successHandler.setDefaultTargetUrl("/index");
    http
        .authorizeRequests()
            .antMatchers("/register", "/registerattempt", "/registeractivate").permitAll()
            .antMatchers("/assets/**", "/images/**", "/favicon**", "/min/**").permitAll()
            .anyRequest().hasRole("USER")
            .and()
        .formLogin()
            .loginPage("/login")
            .failureUrl("/login?error")
            .permitAll()
            .successHandler(successHandler)
            .and()
        .logout()
            .logoutRequestMatcher(new AntPathRequestMatcher("/logout", "GET"))
            .deleteCookies("JSESSIONID")
            .invalidateHttpSession(true)
            .logoutSuccessUrl("/login")
            .and()
        .exceptionHandling()
            .accessDeniedHandler(new CustomAccessDeniedHandler());
}

我的表单使用百里香的动作来发布这样的

<form id="loginform" role="form" th:action="@{/login}"
                      method="post">

我的代码中实际上没有POST控制器方法映射到/login,只有WebSecurityConfigurerAdapter。当我尝试登录时,只需重新加载登录页面,前2或3次点击登录按钮,/login POST将在网络日志中有302状态代码,并且还会有/login获得200 GET。然后第3或第4次它将起作用/login POST仍然会有302,但它GET index.html

这只发生在我第一次登录的时候,如果我登录并一遍又一遍地登出登录,总能正常工作。我正在使用redis来存储我的会话。为什么要多次尝试登录?

我在响应标题中看到的唯一区别是

Location:http://localhost:8090/index

何时起作用

Location:http://localhost:8090/login

当它不起作用时

更新 调试日志非常详细,但我在日志中看到它失败,当它工作时不存在

13 Jan 2017 20:20:58.923 [http-nio-8090-exec-8] DEBUG org.springframework.security.web.csrf.CsrfFilter - Invalid CSRF token found for http://localhost:8090/login

这是一段失败的摘录

13 Jan 2017 20:20:58.923 [http-nio-8090-exec-8] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No HttpSession currently exists
13 Jan 2017 20:20:58.923 [http-nio-8090-exec-8] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
13 Jan 2017 20:20:58.923 [http-nio-8090-exec-8] DEBUG org.springframework.security.web.FilterChainProxy - /login at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
13 Jan 2017 20:20:58.923 [http-nio-8090-exec-8] DEBUG org.springframework.security.web.FilterChainProxy - /login at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
13 Jan 2017 20:20:58.923 [http-nio-8090-exec-8] DEBUG org.springframework.security.web.csrf.CsrfFilter - Invalid CSRF token found for http://localhost:8090/login
13 Jan 2017 20:20:58.923 [http-nio-8090-exec-8] DEBUG org.springframework.security.web.header.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@1f8411e9
13 Jan 2017 20:20:58.923 [http-nio-8090-exec-8] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
13 Jan 2017 20:20:58.931 [http-nio-8090-exec-8] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed

当它工作时

13 Jan 2017 20:25:44.244 [http-nio-8090-exec-5] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
13 Jan 2017 20:25:44.244 [http-nio-8090-exec-5] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper$HttpSessionWrapper@3e3a840e. A new one will be created.
13 Jan 2017 20:25:44.244 [http-nio-8090-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /login at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
13 Jan 2017 20:25:44.244 [http-nio-8090-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /login at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
13 Jan 2017 20:25:44.244 [http-nio-8090-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /login at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter'

1 个答案:

答案 0 :(得分:-1)

尝试将login-processing-url添加到http(HttpSecurity)实例:

.loginProcessingUrl("/login")
相关问题
最新问题