java 使用 Spring Security 创建自定义登录表单
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3453957/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Creating a custom login form with Spring Security
提问by Robert S.
I'm trying to get the custom login form to work with Spring Security 3.0.
我正在尝试让自定义登录表单与 Spring Security 3.0 一起使用。
The default login form works fine with the security configuration below. Then I added the form-login attribute, created the login controller and jsp page to handle the /accounts/logIn URL and now have this problem: when I enter my guest/guest credentials, I am sent back to the logIn page.
默认登录表单适用于以下安全配置。然后我添加了 form-login 属性,创建了登录控制器和 jsp 页面来处理 /accounts/logIn URL,现在有这个问题:当我输入我的访客/访客凭证时,我被送回登录页面。
One thing I noticed in the catalina.out log is that the successful check is looking at /j_security_check, whereas the unsuccessful one is looking at /accounts/j_security_check.
我在 catalina.out 日志中注意到的一件事是,成功的检查正在查看 /j_security_check,而不成功的检查正在查看 /accounts/j_security_check。
Here's my security-config.xml:
这是我的 security-config.xml:
<http auto-config="true" use-expressions="true">
<form-login login-page="/accounts/logIn" /><!--ADDED THIS AFTER TESTING DEFAULT LOGIN-->
<intercept-url pattern="/accounts/logIn" access="permitAll()"/>
<intercept-url pattern="/**" access="isAuthenticated()"/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user authorities="ROLE_USER" name="guest" password="guest"/>
</user-service>
</authentication-provider>
</authentication-manager>
Here is the section of catalina.out that looks relevant:
这是 catalina.out 中看起来相关的部分:
DEBUG: org.springframework.security.web.FilterChainProxy - Candidate is: '/accounts/j_spring_security_check'; pattern is /**; matched=true
DEBUG: org.springframework.security.web.FilterChainProxy - /accounts/j_spring_security_check?j_username=guest&j_password=guest at position 1 of 10 in additional filter\
chain; firing Filter: 'org.springframework.security.web.context.SecurityContextPersistenceFilter@8cbb423'
DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.sessi\
on.StandardSessionFacade@4679cf8c. A new one will be created.
DEBUG: org.springframework.security.web.FilterChainProxy - /accounts/j_spring_security_check?j_username=guest&j_password=guest at position 2 of 10 in additional filter\
chain; firing Filter: 'org.springframework.security.web.authentication.logout.LogoutFilter@5d49453c'
DEBUG: org.springframework.security.web.FilterChainProxy - /accounts/j_spring_security_check?j_username=guest&j_password=guest at position 3 of 10 in additional filter\
chain; firing Filter: 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@756095fc'
DEBUG: org.springframework.security.web.FilterChainProxy - /accounts/j_spring_security_check?j_username=guest&j_password=guest at position 4 of 10 in additional filter\
chain; firing Filter: 'org.springframework.security.web.authentication.www.BasicAuthenticationFilter@18170f98'
DEBUG: org.springframework.security.web.FilterChainProxy - /accounts/j_spring_security_check?j_username=guest&j_password=guest at position 5 of 10 in additional filter\
chain; firing Filter: 'org.springframework.security.web.savedrequest.RequestCacheAwareFilter@1200d083'
DEBUG: org.springframework.security.web.savedrequest.DefaultSavedRequest - pathInfo: both null (property equals)
DEBUG: org.springframework.security.web.savedrequest.DefaultSavedRequest - queryString: arg1=null; arg2=j_username=guest&j_password=guest (property not equals)
DEBUG: org.springframework.security.web.savedrequest.HttpSessionRequestCache - saved request doesn't match
DEBUG: org.springframework.security.web.FilterChainProxy - /accounts/j_spring_security_check?j_username=guest&j_password=guest at position 6 of 10 in additional filter\
chain; firing Filter: 'org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@737951b0'
DEBUG: org.springframework.security.web.FilterChainProxy - /accounts/j_spring_security_check?j_username=guest&j_password=guest at position 7 of 10 in additional filter\
chain; firing Filter: 'org.springframework.security.web.authentication.AnonymousAuthenticationFilter@49c06a6d'
DEBUG: org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.secur\
ity.authentication.AnonymousAuthenticationToken@6faaf9b0: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.securit\
y.web.authentication.WebAuthenticationDetails@ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: 0560416CA2D07AFF3040E75867157A95; Granted Authorities: ROLE_ANON\
YMOUS'
回答by Stephen C
What should be happening is that your form should capture the user name and password and do a POST to the j_spring_security_checkentry point the credentials as parameters; e.g.
应该发生的是,您的表单应该捕获用户名和密码,j_spring_security_check并将凭据作为参数发送到入口点;例如
/accounts/j_spring_security_check?j_username=guest&j_password=guest
This is then supposed to check them, and if they are correct, add the details to the user's session and redirect back to the page that the user was trying to access in the first place.
然后应该检查它们,如果它们正确,则将详细信息添加到用户的会话中并重定向回用户最初尝试访问的页面。
However, it looks like the request to the j_spring_security_checkURL is being redirected by the filter chain.
但是,j_spring_security_check过滤器链似乎正在重定向对URL的请求。
I can think of two possible causes:
我能想到两个可能的原因:
The security check URL
"/accounts/j_spring_security_check"might not be right. You could try"/j_spring_security_check"instead.The
<intercept-url>elements have been configured so that requests to the security check URL require some authorities. (In this case, the catch-all element for the"/**"seems to be the problem.) That is incorrect. You need to configure the<intercept-url>elements to allow requests to the security check URL when the requestor is anonymous.
安全检查 URL
"/accounts/j_spring_security_check"可能不正确。你可以试试"/j_spring_security_check"。这些
<intercept-url>元素已经过配置,因此对安全检查 URL 的请求需要一些权限。(在这种情况下, 的包罗万象的元素"/**"似乎是问题所在。)这是不正确的。<intercept-url>当请求者是匿名的时,您需要配置元素以允许对安全检查 URL 的请求。
回答by EMMERICH
It seems that the log in page is redirecting you back to the login page. You can use the default-target-urlattribute on the form-loginelement to specify where the page is to go after login.
登录页面似乎将您重定向回登录页面。您可以使用元素default-target-url上的属性form-login来指定登录后页面的去向。
For example,
例如,
<form-login default-target-url="/accounts/home" login-page="accounts/logIn" />
<form-login default-target-url="/accounts/home" login-page="accounts/logIn" />
