我正在使用 Spring MVC 和 Spring Security Release 3.1.3 和 tomcat 7.0.37
我需要配置 2 个安全过滤器链,一个用于 BasicAuthentication,一个用于 FormBasedAuthentication。
这是我的 spring-security.xml 文件:
<beans:beans ...>
...
<!-- ....................... -->
<!-- The Gui is secured here -->
<!-- ....................... -->
<http auto-config="true" use-expressions="true" pattern="/gui/**">
<intercept-url pattern="/gui/login**" access="isAnonymous()"/>
<form-login login-page="/gui/login" default-target-url="/gui/welcome"
authentication-failure-url="/gui/loginfailed" />
<logout logout-success-url="/gui/logout" />
<intercept-url pattern="/welcome*" access="hasRole('een_admin')" />
<intercept-url pattern="/mandantAdmin/**" access="isAuthenticated()"/>
<intercept-url pattern="/standortAdmin/**" access="isAuthenticated()"/>
<intercept-url pattern="/ereignisse/**" access="isAuthenticated()" />
<intercept-url pattern="/tickets/**" access="isAuthenticated()"/> <!-- requires-channel="https" -->
<intercept-url pattern="/**" access="hasRole('een_admin')"/>
</http>
<!-- ................................. -->
<!-- The Service Methods are secured here -->
<!-- ................................. -->
<http use-expressions="true" >
<http-basic />
<logout logout-url="/resources/j_spring_security_logout"/>
<intercept-url pattern="/service/ticketManagement/**" access="isAuthenticated()"/>
<intercept-url pattern="/service/standortKonfig/**" access="isAuthenticated()"/>
<intercept-url pattern="/service/ereignisStorage/**" access="isAuthenticated()"/>
</http>
<debug/>
<authentication-manager>
<authentication-provider>
<password-encoder hash="sha-256"/>
<user-service>
<user name="123" password="asdf" authorities="een_admin" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
我的 web.xml 如下:
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/mvc-dispatcher-servlet.xml,
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<!-- ........................................................................... -->
<!-- Spring Security -->
<!-- ........................................................................... -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
当访问基于表单的受保护资源之一时,我成功委派给配置的自定义登录表单。但是在输入我的凭据后,我收到一个 404 错误,找不到“j_spring_security_check”(它正在使用这个 url: "http://127.0.0.1:8080/webapp/j_spring_security_check"
)
以下是一些日志:
Request received for '/gui/login':
org.apache.catalina.connector.RequestFacade@174e4b3
servletPath:/gui/login
pathInfo:null
Security filter chain: [
SecurityContextPersistenceFilter
LogoutFilter
UsernamePasswordAuthenticationFilter
BasicAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
Request received for '/j_spring_security_check':
org.apache.catalina.connector.RequestFacade@174e4b3
servletPath:/j_spring_security_check
pathInfo:null
Security filter chain: [
SecurityContextPersistenceFilter
LogoutFilter
BasicAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
01:06:06,345 WARN http-apr-8080-exec-3 servlet.PageNotFound:1080 - No mapping found for HTTP request with URI [/webapp/j_spring_security_check] in DispatcherServlet with name 'mvc-dispatcher'
In access_logs:
"POST /webapp/j_spring_security_check HTTP/1.1" 404 949
请注意重定向时缺少的UsernamePasswordAuthenticationFilter 。
如果我删除第一个元素中的模式属性 pattern="/gui/**" 并注释掉第二个元素(需要,否则拦截器 URL 模式存在问题)它再次正常工作。
稍微简化一下:当向 http 元素添加模式属性时,j_spring_security_check 再也找不到了。
我做错了什么,有人可以帮助我吗?