1

我正在使用 Spring MVC 和 Spring Security Release 3.1.3 和 tomcat 7.0.37

我需要配置 2 个安全过滤器链,一个用于 BasicAuthentication,一个用于 FormBasedAuthentication。

这是我的 spring-security.xml 文件:

<beans:beans ...>
...

<!-- ....................... -->
<!-- The Gui is secured here -->
<!-- ....................... -->
<http auto-config="true" use-expressions="true" pattern="/gui/**">
    <intercept-url pattern="/gui/login**" access="isAnonymous()"/>

    <form-login login-page="/gui/login" default-target-url="/gui/welcome"
                authentication-failure-url="/gui/loginfailed" />

    <logout logout-success-url="/gui/logout" />

    <intercept-url pattern="/welcome*" access="hasRole('een_admin')" /> 
    <intercept-url pattern="/mandantAdmin/**" access="isAuthenticated()"/>
    <intercept-url pattern="/standortAdmin/**" access="isAuthenticated()"/> 
    <intercept-url pattern="/ereignisse/**" access="isAuthenticated()" />
    <intercept-url pattern="/tickets/**" access="isAuthenticated()"/>  <!-- requires-channel="https" -->        
    <intercept-url pattern="/**" access="hasRole('een_admin')"/>
</http>

<!-- ................................. -->
<!-- The Service Methods are secured here -->
<!-- ................................. -->
<http use-expressions="true" >
    <http-basic />
    <logout logout-url="/resources/j_spring_security_logout"/>

    <intercept-url pattern="/service/ticketManagement/**" access="isAuthenticated()"/>
    <intercept-url pattern="/service/standortKonfig/**" access="isAuthenticated()"/>
    <intercept-url pattern="/service/ereignisStorage/**" access="isAuthenticated()"/>

</http>
<debug/>


<authentication-manager>
  <authentication-provider>
    <password-encoder hash="sha-256"/>
    <user-service>
        <user name="123" password="asdf" authorities="een_admin" />
    </user-service>
  </authentication-provider>
</authentication-manager>
</beans:beans>

我的 web.xml 如下:

<servlet>
    <servlet-name>mvc-dispatcher</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>mvc-dispatcher</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/mvc-dispatcher-servlet.xml,
        /WEB-INF/spring-security.xml
    </param-value>
</context-param>

<!-- ........................................................................... -->
<!--                                Spring Security                              -->
<!-- ........................................................................... -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>    

当访问基于表单的受保护资源之一时,我成功委派给配置的自定义登录表单。但是在输入我的凭据后,我收到一个 404 错误,找不到“j_spring_security_check”(它正在使用这个 url: "http://127.0.0.1:8080/webapp/j_spring_security_check"

以下是一些日志:

Request received for '/gui/login':

org.apache.catalina.connector.RequestFacade@174e4b3

servletPath:/gui/login
    pathInfo:null

    Security filter chain: [
      SecurityContextPersistenceFilter
      LogoutFilter
      UsernamePasswordAuthenticationFilter
      BasicAuthenticationFilter
      RequestCacheAwareFilter
      SecurityContextHolderAwareRequestFilter
      AnonymousAuthenticationFilter
      SessionManagementFilter
      ExceptionTranslationFilter
      FilterSecurityInterceptor
    ]
    Request received for '/j_spring_security_check':

    org.apache.catalina.connector.RequestFacade@174e4b3

    servletPath:/j_spring_security_check
    pathInfo:null

    Security filter chain: [
      SecurityContextPersistenceFilter
      LogoutFilter
      BasicAuthenticationFilter
      RequestCacheAwareFilter
      SecurityContextHolderAwareRequestFilter
      AnonymousAuthenticationFilter
      SessionManagementFilter
      ExceptionTranslationFilter
      FilterSecurityInterceptor
    ]

    01:06:06,345  WARN http-apr-8080-exec-3 servlet.PageNotFound:1080 - No mapping found for HTTP request with URI [/webapp/j_spring_security_check] in DispatcherServlet with name 'mvc-dispatcher'

    In access_logs:
    "POST /webapp/j_spring_security_check HTTP/1.1" 404 949

请注意重定向时缺少的UsernamePasswordAuthenticationFilter 。

如果我删除第一个元素中的模式属性 pattern="/gui/**" 并注释掉第二个元素(需要,否则拦截器 URL 模式存在问题)它再次正常工作。

稍微简化一下:当向 http 元素添加模式属性时,j_spring_security_check 再也找不到了。

我做错了什么,有人可以帮助我吗?

4

1 回答 1

3

您需要意识到您在http块中定义的 URL与属性无关,因此首先,您拥有的所有模式(例如)都将不起作用,因为它们只会为以永远不会匹配。应该是。patternintercept-url/welcome*/gui/gui/welcome

您的登录表单提交到的 URL 也必须在form-login某处具有匹配元素。在您的情况下,它位于过滤器链中,因此永远不会匹配/gui/**请求。/j_spring_security_check

因此,您需要将登录表单中的 URL 更改为以/gui. 您还可以通过设置login-processing-url. 例如:

<form-login login-processing-url="/gui/login.do" login-page="/gui/login" default-target-url="/gui/welcome" authentication-failure-url="/gui/loginfailed" />

(选择完全不提及 Spring 的东西是个好主意)。

您还应该删除该auto-config属性,因为它在这里没有做任何有用的事情,只会让人们感到困惑。

于 2013-03-23T16:15:30.677 回答