java 此网页在 spring-security 应用程序中有一个重定向循环
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/15489911/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
This webpage has a redirect loop in spring-security application
提问by Java Questions
i have a web application in spring which uses spring security, when i try to excute the application it says
我在 spring 中有一个使用 spring 安全性的 Web 应用程序,当我尝试执行该应用程序时,它说
This webpage has a redirect loop
this is my security-context.xmlafter adding this only i get this exception
这是我security-context.xml在添加这个之后只有我得到这个例外
<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<!-- HTTP security configurations -->
<http use-expressions="true">
<form-login login-processing-url="/resources/j_spring_security_check"
login-page="/login" authentication-failure-url="/login?login_error=t" />
<logout logout-url="/resources/j_spring_security_logout" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<intercept-url pattern="/login*" access="permitAll()" />
<intercept-url pattern="/resources/**" access="permitAll()" />
</http>
<!-- Configure Authentication mechanism -->
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="admin" password="admin" authorities="RIGHT_LIST,RIGHT_CANCEL,RIGHT_CREATE,RIGHT_UPDATE" />
<user name="antony" password="antony" authorities="RIGHT_LIST,RIGHT_CANCEL,RIGHT_CREATE,RIGHT_UPDATE" />
<user name="rod" password="rod" authorities="RIGHT_LIST,RIGHT_CREATE"/>
</user-service>
</authentication-provider>
</authentication-manager>
<global-method-security secured-annotations="enabled" pre-post-annotations="enabled">
<expression-handler ref="expHandler"/>
</global-method-security>
<b:bean id="expHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<b:property name="permissionEvaluator">
<b:bean class="com.anto.springsec.security.CreateContactPermissionEvaluator"/>
</b:property>
</b:bean>
</b:beans>
i have one login.jsp and one more createContact.jsp
我有一个 login.jsp 和一个 createContact.jsp
this is my home controler :
这是我的家庭控制器:
package com.anto.springsec.controllers;
import java.text.DateFormat;
import java.util.Date;
import java.util.Locale;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
/**
* Handles requests for the application home page.
*/
@Controller
public class HomeController {
private static final Logger logger = LoggerFactory.getLogger(HomeController.class);
/**
* Simply selects the home view to render by returning its name.
*/
@RequestMapping(value = "/login", method = RequestMethod.GET)
public String home(Locale locale, Model model) {
logger.info("Welcome home! The client locale is {}.", locale);
Date date = new Date();
DateFormat dateFormat = DateFormat.getDateTimeInstance(DateFormat.LONG, DateFormat.LONG, locale);
String formattedDate = dateFormat.format(date);
model.addAttribute("serverTime", formattedDate );
return "login";
}
}
please help me to resolve this.
请帮我解决这个问题。
回答by limc
I believe the order of intercept-urlis important here, and it seems like your /**pattern is swallowing /loginand /resourcestoo.
我相信的顺序intercept-url很重要,在这里,它看起来像你的/**格局正在吞噬/login和/resources太。
Try this:-
试试这个:-
<http pattern="/resources/**" security="none"/>
<http pattern="/login" security="none"/>
<http use-expressions="true">
<form-login login-processing-url="/resources/j_spring_security_check"
login-page="/login" authentication-failure-url="/login?login_error=t" />
<logout logout-url="/resources/j_spring_security_logout" />
<intercept-url pattern="/**" access="isAuthenticated()" />
</http>
This configuration is very similar to one of my existing projects.
此配置与我现有的项目之一非常相似。
UPDATE
更新
This is the configuration I'm currently using in my project:-
这是我目前在项目中使用的配置:-
<security:http pattern="/resources/**" security="none"/>
<security:http pattern="/login" security="none"/>
<security:http pattern="/error/**" security="none"/>
<security:http auto-config="true">
<security:form-login login-page="/login"
authentication-failure-url="/login?login_error=1"
default-target-url="/"
always-use-default-target="true"/>
<security:logout logout-success-url="/"/>
<security:intercept-url pattern="/**" access="ROLE_USER"/>
</security:http>
03-19-13
03-19-13
In order to use securityattribute in httptag, you will need Spring Security 3.1... see http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#new-3.1-ns
为了security在http标签中使用属性,您需要 Spring Security 3.1 ... 参见http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#new- 3.1 纳秒
回答by Kris
Try this
试试这个
change
改变
<intercept-url pattern="/login*" access="permitAll()" />
<intercept-url pattern="/login*" access="permitAll()" />
to
到
<intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
OR
或者
<intercept-url pattern="/login*" access="isAnonymous()" />
As you have expression true I think you have to use isAnonymous()
由于您的表达式为真,我认为您必须使用 isAnonymous()
intercept-url element to say that any requests for the login page should be available to anonymous users. Otherwise the request would be matched by the pattern /** and it wouldn't be possible to access the login page itself! This is a common configuration error and will result in an infinite loop in the application. Read more from here
intercept-url 元素表示对登录页面的任何请求都应该对匿名用户可用。否则请求将与模式 /** 匹配,并且无法访问登录页面本身!这是一个常见的配置错误,会导致应用程序无限循环。从这里阅读更多
