0

我已经实施了弹簧安全,它工作正常,但突然停止工作。现在,当我尝试访问它不会拒绝的受保护 url 时,它允许我打开 url。当我尝试使用有效用户登录时,它会调用 loginSuccessHandler 但不会重定向到 secure/applications.html 页面。抱歉,细节有点冗长,我真的被卡住了:(。

春季测井

20:41:04,555 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] - Checking match of request : '/j_spring_security_check'; against '/resources/**'
20:41:04,556 DEBUG [org.springframework.security.web.FilterChainProxy] - /j_spring_security_check at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
20:41:04,556 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - No HttpSession currently exists
20:41:04,556 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - No SecurityContext was available from the HttpSession: null. A new one will be created.
20:41:04,556 DEBUG [org.springframework.security.web.FilterChainProxy] - /j_spring_security_check at position 2 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
20:41:04,556 DEBUG [org.springframework.security.web.FilterChainProxy] - /j_spring_security_check at position 3 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
20:41:04,556 DEBUG [org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter] - Request is to process authentication
20:41:04,557 DEBUG [org.springframework.security.authentication.ProviderManager] - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
Hibernate: select this_.id as id1_12_1_, this_.date as date2_12_1_, this_.email as email3_12_1_, this_.firstName as firstNam4_12_1_, this_.lastName as lastName5_12_1_, this_.password as password6_12_1_, this_.phoneNumber as phoneNum7_12_1_, this_.role as role8_12_1_, registerst2_.id as id1_11_0_, registerst2_.active as active2_11_0_, registerst2_.sessionExpiry as sessionE3_11_0_, registerst2_.sessionString as sessionS4_11_0_ from User this_ left outer join RegisterStatus registerst2_ on this_.id=registerst2_.id where this_.email=?
20:41:07,736 WARN  [org.springframework.security.authentication.event.LoggerListener] - Authentication event AuthenticationSuccessEvent: yahya.arshad@gmail.com; details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: null
20:41:07,737 DEBUG [org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter] - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@48f0accc: Principal: com.fyp.ptma.security.AuthorisedUser@48f0db60: Username: yahya.arshad@gmail.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: null; Not granted any authorities
20:41:07,737 DEBUG [org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices] - Did not send remember-me cookie (principal did not set parameter '_spring_security_remember_me')
20:41:07,737 DEBUG [org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices] - Remember-me login not requested.
20:41:07,737 WARN  [org.springframework.security.authentication.event.LoggerListener] - Authentication event InteractiveAuthenticationSuccessEvent: yahya.arshad@gmail.com; details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: null
20:41:09,038 DEBUG [org.springframework.security.web.session.HttpSessionEventPublisher] - Publishing event: org.springframework.security.web.session.HttpSessionCreatedEvent[source=org.mortbay.jetty.servlet.HashSessionManager$Session:ap7q19yq3oul@1156618876]
20:41:09,039 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@48f0accc: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@48f0accc: Principal: com.fyp.ptma.security.AuthorisedUser@48f0db60: Username: yahya.arshad@gmail.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: null; Not granted any authorities'
20:41:09,041 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] - SecurityContextHolder now cleared, as request processing completed
20:41:09,047 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] - Checking match of request : '/secure/applications.html'; against '/resources/**'
20:41:09,047 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
20:41:09,047 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@48f0accc: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@48f0accc: Principal: com.fyp.ptma.security.AuthorisedUser@48f0db60: Username: yahya.arshad@gmail.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: null; Not granted any authorities'
20:41:09,047 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 2 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
20:41:09,048 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 3 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
20:41:09,048 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 4 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
20:41:09,048 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 5 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
20:41:09,048 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 6 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
20:41:09,048 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 7 of 11 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
20:41:09,048 DEBUG [org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter] - SecurityContextHolder not populated with remember-me token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@48f0accc: Principal: com.fyp.ptma.security.AuthorisedUser@48f0db60: Username: yahya.arshad@gmail.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: null; Not granted any authorities'
20:41:09,048 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
20:41:09,048 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@48f0accc: Principal: com.fyp.ptma.security.AuthorisedUser@48f0db60: Username: yahya.arshad@gmail.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: null; Not granted any authorities'
20:41:09,048 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
20:41:09,048 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
20:41:09,048 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
20:41:09,049 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] - Secure object: FilterInvocation: URL: /secure/applications.html; Attributes: [permitAll]
20:41:09,049 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@48f0accc: Principal: com.fyp.ptma.security.AuthorisedUser@48f0db60: Username: yahya.arshad@gmail.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: null; Not granted any authorities
20:41:09,049 DEBUG [org.springframework.security.access.vote.AffirmativeBased] - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@3aa8c31b, returned: 1
20:41:09,049 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] - Authorization successful
20:41:09,049 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] - RunAsManager did not change Authentication object
20:41:09,049 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html reached end of additional filter chain; proceeding with original chain
20:41:09,053 DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter] - Chain processed normally
20:41:09,053 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] - SecurityContextHolder now cleared, as request processing completed

登录成功处理程序.java

public class LoginSuccessHandler implements AuthenticationSuccessHandler,
        AuthenticationFailureHandler {

    public void onAuthenticationSuccess(HttpServletRequest request,
            HttpServletResponse response, Authentication auth)
            throws IOException, ServletException {
        request.getSession(true).setAttribute("user", auth.getPrincipal());
        request.setAttribute("user", auth.getPrincipal());


        **response.sendRedirect("secure/applications.html");** // it does't redirect
    }

    public void onAuthenticationFailure(HttpServletRequest request,
            HttpServletResponse response, AuthenticationException auth)
            throws IOException, ServletException {
        // TODO Auto-generated method stub

        request.getSession(true).setAttribute("error", auth.getMessage());
        request.setAttribute("error", auth.getMessage());
        response.sendRedirect("login.html?error=true");

    }

}

安全上下文.xml

    <?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
                        http://www.springframework.org/schema/context
                        http://www.springframework.org/schema/context/spring-context-3.1.xsd">
    <context:component-scan base-package="com.fyp.ptma" />
<beans:bean id="loggerListener"
    class="org.springframework.security.authentication.event.LoggerListener" />

<global-method-security pre-post-annotations="enabled" />

<http pattern="/resources/**" security="none" />

<http use-expressions="true" auto-config="true">
    <intercept-url pattern="/**" access="permitAll" />

    <intercept-url pattern="/secure/*" access="isAuthenticated()" />
    <intercept-url pattern="/j_spring_security_check"
        access="permitAll" />
    <intercept-url pattern="/processRegistration.html"
        access="permitAll" />
    <form-login login-page="/login.html" default-target-url="/secure/fileUpload.html"
        authentication-failure-url="/login.html?error=true"
        login-processing-url="/j_spring_security_check"
        authentication-success-handler-ref="loginSuccessHandler"
          />
    <logout />
    <remember-me user-service-ref="userDetailsService" />
    <access-denied-handler error-page="/login.html?error=true" />
</http>


<authentication-manager>
    <authentication-provider user-service-ref="userDetailsService">
        <password-encoder hash="plaintext" />
    </authentication-provider>
</authentication-manager>


<beans:bean id="userDetailsService"
    class="com.fyp.ptma.dao.service.UserDetailsServiceImpl">

</beans:bean>
<beans:bean id="loginSuccessHandler" class="com.fyp.ptma.security.LoginSuccessHandler" />

servlet-context.xml

 <?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/mvc"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

    <!-- DispatcherServlet Context: defines this servlet's request-processing 
        infrastructure -->

    <beans:bean id="multipartResolver"
        class="org.springframework.web.multipart.commons.CommonsMultipartResolver" />
    <!-- Enables the Spring MVC @Controller programming model -->
    <annotation-driven />

    <!-- Handles HTTP GET requests for /resources/** by efficiently serving 
        up static resources in the ${webappRoot}/resources directory -->
    <resources mapping="/resources/**" location="/resources/" />

    <!-- Resolves views selected for rendering by @Controllers to .jsp resources 
        in the /WEB-INF/views directory -->
    <beans:bean
        class="org.springframework.web.servlet.view.InternalResourceViewResolver">
        <beans:property name="prefix" value="/WEB-INF/views/" />
        <beans:property name="suffix" value=".jsp" />
    </beans:bean>

    <context:component-scan base-package="com.fyp.ptma.controllers" />



</beans:beans>

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    id="WebApp_ID" version="2.5">

    <!-- Creates the Spring Container shared by all Servlets and Filters -->
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    <listener>
        <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
    </listener>
    <listener>
        <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
    </listener>
    <context-param>
        <param-name>log4jConfigLocation</param-name>
        <param-value>/log4j.properties</param-value>
    </context-param>
    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
    </welcome-file-list>
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/spring/root-context.xml
            /WEB-INF/spring/appServlet/security-context.xml
            /WEB-INF/hibernate/hibernate-config.xml
       </param-value>
    </context-param>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>


    <!-- Processes application requests -->
    <servlet>
        <servlet-name>appServlet</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>/WEB-INF/spring/appServlet/servlet-context.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>appServlet</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

    <session-config>
        <session-timeout>120</session-timeout>
    </session-config>
</web-app>
4

1 回答 1

1

你应该搬家

<intercept-url pattern="/**" access="permitAll" />

<intercept-url pattern="/secure/*" access="isAuthenticated()" />

在你的 security-context.xml

于 2013-07-18T16:40:32.723 回答