我注意到很多人配置 Spring Securityform-login如下
<form-login login-processing-url="/static/j_spring_security_check" login-page="/login"
authentication-failure-url="/login?login_error=t"/>
默认login-processing-url是/j_spring_security_check那么为什么要通过添加来更改它/static?
在功能方面没有区别。只是 Spring 框架非常灵活,可以让您轻松更改各种配置。当您想隐藏您正在使用 Spring Security 的事实时,它会很有用,方法是更改为不同的 url(没有 Spring it it)。
Adding To Umesh's answer and quoting it from Spring Security Book
It may be obvious, but if we only wanted to add a custom login page, we would only need to specify the login-page attribute. We would then create our login form using the default values for the remaining attributes. However, it is often a good practice to override the values of anything visible to users, to prevent exposing that we are using Spring Security. Revealing what frameworks we are using is a type of "information leakage", making it easier for attackers to determine potential holes in our security.
如果您仍然对使用登录处理 URL 感兴趣,我们可以更改默认 URL。因此,如果您当时在 http 标签中定义了模式, j_spring_security 将失败。因此,当我们根据模式进行限制时,它非常有用。