Java Spring mvc / security:从 spring security 中排除登录页面
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/20874571/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring mvc / security : excluding the login page from spring security
提问by shippi
I am using spring mvc + security to build a simple web app and currently having issues with the login. I am not able to exclude the login page from the spring security if i want to secure /** (everything basically). This is how my config look like:
我正在使用 spring mvc + security 来构建一个简单的 Web 应用程序,并且当前存在登录问题。如果我想保护 /** (基本上所有内容),我就无法从 Spring Security 中排除登录页面。这是我的配置的样子:
spring.security.xml
spring.security.xml
<http pattern="/login" security="none"/>
<http pattern="/view_register.htm" security="none"/>
<http>
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page="/login" default-target-url="/game" authentication-failure-url="/failedlogin" />
<logout logout-success-url="/login" />
</http>
LoginController
登录控制器
@Controller
public class LoginLogoutController {
@RequestMapping(value="/login", method = RequestMethod.GET)
public String login(ModelMap model) {
return "login";
}
@RequestMapping(value="/failedlogin", method = RequestMethod.GET)
public String loginerror(ModelMap model) {
model.addAttribute("error", "true");
return "login";
}
}
login.jsp
登录.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
<title>Login Page</title>
<style>
.errorblock {
color: #ff0000;
background-color: #ffEEEE;
border: 3px solid #ff0000;
padding: 8px;
margin: 16px;
}
</style>
</head>
<body onload='document.f.j_username.focus();'>
<h3>Login with Username and Password (Custom Page)</h3>
<c:if test="${not empty error}">
<div class="errorblock">
Your login attempt was not successful, try again.<br /> Caused :
${sessionScope["SPRING_SECURITY_LAST_EXCEPTION"].message}
</div>
</c:if>
<form name='f' action="<c:url value='j_spring_security_check' />"
method='POST'>
<table>
<tr>
<td>User:</td>
<td><input type='text' name='j_username' value=''>
</td>
</tr>
<tr>
<td>Password:</td>
<td><input type='password' name='j_password' />
</td>
</tr>
<tr>
<td colspan='2'><input name="submit" type="submit"
value="submit" />
</td>
</tr>
<tr>
<td>Don't have an account yet.</td>
<td> <a href="<c:url value="view_register.htm" />" > Register here</a>
</td>
</tr>
</table>
</form>
</body>
</html>
I want to secure the whole app and exlude the login and the registration page. With my current config the whole security behaves very strangly. If i enter wrong credentials the
我想保护整个应用程序并排除登录和注册页面。使用我当前的配置,整个安全性表现得非常奇怪。如果我输入错误的凭据
@RequestMapping(value="/login", method = RequestMethod.GET)
public String login(ModelMap model) {
is called and from the other hand if i enter the correct username/pass the login failed controller method is called.
被调用,另一方面,如果我输入正确的用户名/通过,则调用登录失败的控制器方法。
Found out that if i modify the
发现如果我修改
<intercept-url pattern="/**" access="ROLE_USER" />
to
到
<intercept-url pattern="/game*" access="ROLE_USER" />
and remove the
并删除
<http pattern="/login" security="none"/>
everything is working as expected. Its very strange and can't really figure out why this is happening.
一切都按预期工作。它非常奇怪,无法真正弄清楚为什么会发生这种情况。
EDIT
编辑
Just created a tiny version of my sample project (maven) and uploaded to:fileswap. Any help or suggestion will be really cool as i am still confused.
刚刚创建了我的示例项目 (maven) 的一个小版本并上传到:fileswap。任何帮助或建议都会非常酷,因为我仍然感到困惑。
采纳答案by Alexey
Try to insert these lines:
尝试插入这些行:
<intercept-url pattern="/login/**" access="ROLE_ANONYMOUS,ROLE_USER" />
<intercept-url pattern="/failedlogin/**" access="ROLE_ANONYMOUS,ROLE_USER" />
<intercept-url pattern="/view_register/**" access="ROLE_ANONYMOUS,ROLE_USER" />
after <http>, and add auto-config="true"inside <http>:
之后<http>,并在auto-config="true"里面添加<http>:
<http auto-config="true">
<intercept-url pattern="/login/**" access="ROLE_ANONYMOUS,ROLE_USER" />
<intercept-url pattern="/failedlogin/**" access="ROLE_ANONYMOUS,ROLE_USER" />
<intercept-url pattern="/view_register/**" access="ROLE_ANONYMOUS,ROLE_USER" />
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page="/login" default-target-url="/game" authentication-failure-url="/failedlogin" />
<logout logout-success-url="/login" />
</http>
and remove:
并删除:
<http pattern="/login" security="none"/>
I do not know what this line is for, but it should work without it.
我不知道这条线是做什么用的,但没有它它应该可以工作。
See the Spring Security Referencefor details on anonymous authentication(the important thing to understand is that if an anonymous user can access a page, it does not automatically mean that an authenticated user can access it too).
有关匿名身份验证的详细信息,请参阅Spring Security Reference(要了解的重要一点是,如果匿名用户可以访问页面,并不意味着经过身份验证的用户也可以访问它)。
BWT, ROLE_ANONYMOUSis a built-in role, but ROLE_USERis not, as explained here. You need to make sure ROLE_USERis assigned to the user.
BWT,ROLE_ANONYMOUS是一个内置的作用,但ROLE_USER不作为解释在这里。您需要确保ROLE_USER已分配给用户。
This answerexplains why patterns should end with /**.
这个答案解释了为什么模式应该以/**.
回答by Kevin Bowersox
Try using this configuration which allows anonymous access to these urls:
尝试使用允许匿名访问这些 url 的配置:
<http>
<intercept-url pattern="/**" access="ROLE_USER" />
<intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/view_register.htm" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<form-login login-page="/login" default-target-url="/game" authentication-failure-url="/failedlogin" />
<logout logout-success-url="/login" />
</http>
When you specify the following:
当您指定以下内容时:
<intercept-url pattern="/game*" access="ROLE_USER" />
Only URLs like ~/game*will be protected, leaving all other URLs unprotected.
只有像这样的 URL~/game*会受到保护,而所有其他 URL 则不受保护。
