1

我有一个使用 Spring Security 的 Web 应用程序来管理身份验证。我的客户有 2 个登录表单,我的 spring 安全配置如下:

<http auto-config="true" use-expressions="true" create-session="always">
        <intercept-url pattern="/**"  access="permitAll" />

        <form-login login-processing-url="/user/login" login-page="/user/login/unauthorized" 
            default-target-url="/user/firstLogin" authentication-failure-url="/user/login/failure" />

        <form-login login-processing-url="/user/relogin" login-page="/user/login/unauthorized" 
            default-target-url="/user/reLoginFromClient" authentication-failure-url="/user/login/failure" />

        <logout logout-url="/user/logout/spring" logout-success-url="/user/logout/success" />
        <access-denied-handler ref="accessDeniedHandler"/>
    </http>

第一个表单登录元素工作正常,即我能够从/user/loginURL 登录。但是,当我尝试从第二个 url 登录时/user/relogin,我从服务器收到 415:unsupported media type 响应。

请注意,如果我切换这两个元素,则顶部的元素可以正常工作,而底部的元素会导致 415 响应。

我按照所选答案中的建议做了,我的配置现在如下所示:

<http auto-config="true" use-expressions="true" create-session="always" authentication-manager-ref="authenticationManager">
        <intercept-url pattern="/**"  access="permitAll" />
        <custom-filter after="SECURITY_CONTEXT_FILTER" ref="reLoginFilter"/>
        <form-login login-processing-url="/user/login" login-page="/user/login/unauthorized" 
            default-target-url="/user/firstLogin" authentication-failure-url="/user/login/failure" />
        <logout logout-url="/user/logout/spring" logout-success-url="/user/logout/success" />
        <access-denied-handler ref="accessDeniedHandler"/>  
    </http>

    <beans:bean id="reLoginFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
        <beans:property name="authenticationManager" ref="authenticationManager"/>
        <beans:property name="filterProcessesUrl" value="/user/relogin"/>
        <beans:property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
        <beans:property name="authenticationFailureHandler" ref="authenticationFailHandler" />
    </beans:bean> 

    <beans:bean id="authenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
        <beans:property name="defaultTargetUrl" value="/user/relogin/success"/>
    </beans:bean>

    <beans:bean id="authenticationFailHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
        <beans:property name="defaultFailureUrl" value="/user/login/failure"/>
    </beans:bean>
4

1 回答 1

1

您不能<form-login>在单个元素中使用多个元素<http>

相反,您可以使用一个并通过定义一个bean 并使用元素UsernamePasswordAuthenticationFilter插入它来添加第二个。custom-filter

您还应该删除auto-config. 也很少需要为每个请求创建一个会话,所以我也会删除该create-session属性,除非您确定需要它。

于 2013-02-25T16:56:40.463 回答