0

我在实现 Spring Security 以及 Spring MVC 和 Hibernate 时遇到了麻烦。

当我提供凭据并验证表单时,它会转到以下 URL: http://localhost:8080/test/login_error.htm;jsessionid=9BE14BCXXXXXXXXXXXXXXXX 所以它会将我重定向到我在我的配置中配置的 login_error.htm 页面弹簧安全.xml。看起来已经创建了一个会话,因此之后会出现问题。

我确实尝试调试以了解更多信息,这是交易:

由于在 spring-security.xml 中将 UserDetailsS​​ervice 配置为我的 authenticationProvider,因此它进入了 UserDetailsS​​erviceImpl 类中的 findByUserName 方法:

public UserDetails loadUserByUsername(String username)

    throws UsernameNotFoundException, DataAccessException {

        UserEntity userEntity = dao.findByName(username);

        if (userEntity == null)
            throw new UsernameNotFoundException("user not found");

        return (UserDetails)assembler.buildUserFromUserEntity(userEntity);

    }

当它返回时,用户已正确加载,因此已建立与数据库的连接并且已找到用户,那一侧没有问题。我无法弄清楚问题出在哪里。

这是我正在使用的 UserEntityDAOImpl 类:

@Repository("userEntityDao")
public class UserEntityDAOImpl implements UserEntityDAO {

    private SessionFactory sessionFactory;

    @Autowired
    public void setSessionFactory(SessionFactory sessionFactory) {
        this.sessionFactory = sessionFactory;
    }

    public void addUser(UserEntity user) {
        sessionFactory.getCurrentSession().save(user);
    }

    public UserEntity findByName(String username) {
        Session session = sessionFactory.getCurrentSession();
        UserEntity user = (UserEntity)session.createQuery("select u from UserEntity u where u.username = '" + username + "'").uniqueResult();
        return user;
    }

...others methods like activate, listUsers, etc...

编辑:

@Service("assembler")
public class Assembler {

    @Transactional(readOnly = true)
    User buildUserFromUserEntity(UserEntity userEntity) {

        String username = userEntity.getUsername();
        String password = userEntity.getPassword();
        boolean enabled = userEntity.getActive();
        boolean accountNonExpired = userEntity.getActive();
        boolean credentialsNonExpired = userEntity.getActive();
        boolean accountNonLocked = userEntity.getActive();

        Collection<SimpleGrantedAuthority> authorities = new ArrayList<SimpleGrantedAuthority>();

        for (SecurityRoleEntity role : userEntity.getSecurityRoleCollection()) {
            authorities.add(new SimpleGrantedAuthority(role.getName()));
        }

        User user = new User(username, password, enabled,
        accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);
        return user;

    }

}

它正在从数据库中正确检索角色(在我的情况下为 ROLE_Admin)。

这是我的spring-security.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
                        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/context 
                        http://www.springframework.org/schema/context/spring-context-3.0.xsd
                        http://www.springframework.org/schema/security 
                        http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <http pattern="/resources/**" security="none"/>
    <http auto-config='true' use-expressions='true'>
        <intercept-url pattern="/login*" access="isAnonymous()" />
        <intercept-url pattern="/secure/**" access="hasRole('ROLE_Admin')" />

        <logout logout-success-url="/home.htm" />

        <form-login login-page="/login.htm" login-processing-url="/j_spring_security_check"
            authentication-failure-url="/login_error.htm" default-target-url="/home.htm"
            always-use-default-target="true" />
    </http>

    <beans:bean id="com.daoAuthenticationProvider"
        class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
        <beans:property name="userDetailsService" ref="userDetailsService" />
    </beans:bean>

    <beans:bean id="authenticationManager"
        class="org.springframework.security.authentication.ProviderManager">
        <beans:property name="providers">
            <beans:list>
                <beans:ref local="com.daoAuthenticationProvider" />
            </beans:list>
        </beans:property>
    </beans:bean>

    <authentication-manager>
        <authentication-provider user-service-ref="userDetailsService">
            <password-encoder hash="plaintext" />
        </authentication-provider>
    </authentication-manager>
</beans:beans>

这是 web.xml:

<web-app id="WebApp_ID" version="2.4"
    xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee 
    http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

    <display-name>Spring MVC Application</display-name>

    <!-- Spring MVC -->
    <servlet>
        <servlet-name>mvc-dispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>mvc-dispatcher</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

</servlet> -->

    <!-- This listener creates the root application Context -->
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    <listener>
        <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
    </listener>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/applicationContext.xml
            /WEB-INF/spring-security.xml
        </param-value>
    </context-param>

    <!-- Spring Security -->
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

</web-app>
4

1 回答 1

1

我怀疑您的用户没有设置所需的权限(即Authorities)。启用Spring Security 调试日志记录。做什么

assembler.buildUserFromUserEntity(userEntity);

做?如果在将loadUserByUsername打印返回UserDetails-getAuthorities()到控制台之前的方法中,您会看到什么?

于 2012-12-30T20:13:07.743 回答