2

我试图仅在登录期间使用 https。

问题是当应用程序尝试从 https 切换到 http 时,我最终被重定向到登录表单(好像会话被破坏)。当我在注销后使用 session-fixation-protection="none" 时,当我单击登录时,它会将其重定向到登录页面,然后再次单击它登录。

注销后的另一个问题单击返回按钮它再次登录这是错误的。

这是我正在使用的配置:

<security:http  auto-config="false" entry-point-ref="authenticationProcessingFilterEntryPoint" session-fixation-protection="none">
    <security:intercept-url pattern="/login.do*" access="ROLE_ANONYMOUS,ROLE_ADMIN_RESEARCHER,ROLE_ADMIN_SUPERVISOR,ROLE_ADMIN_ADMINISTRATOR" requires-channel="https"/>
    <security:intercept-url pattern="/j_spring_security*" access="ROLE_ANONYMOUS,ROLE_ADMIN_RESEARCHER,ROLE_ADMIN_SUPERVISOR,ROLE_ADMIN_ADMINISTRATOR" requires-channel="https"/>
    <security:intercept-url pattern="/assets/**" filters="none"/>
    <security:intercept-url pattern="/change_password.do/*" filters="none"/>
    <security:intercept-url pattern="/forgot_password.do*" filters="none"/>
    <security:intercept-url pattern="/upload_tracking.do**" access="ROLE_ADMIN_SUPERVISOR"/>
    <security:intercept-url pattern="/company_alias.do*" access="ROLE_ADMIN_ADMINISTRATOR" requires-channel="http"/>
    <security:intercept-url pattern="/contacts.do*" access="ROLE_ADMIN_ADMINISTRATOR" requires-channel="http"/>
    <security:intercept-url pattern="/technology.do*" access="ROLE_ADMIN_ADMINISTRATOR" requires-channel="http"/>
    <security:intercept-url pattern="/technologyProduct.do*" access="ROLE_ADMIN_ADMINISTRATOR" requires-channel="http"/>
    <security:intercept-url pattern="/technologyKeyword.do*" access="ROLE_ADMIN_ADMINISTRATOR" requires-channel="http"/>
    <security:intercept-url pattern="/services.do*" access="ROLE_ADMIN_ADMINISTRATOR" requires-channel="http"/>
    <security:intercept-url pattern="/services.do*" access="ROLE_ADMIN_ADMINISTRATOR" requires-channel="http"/>
    <security:intercept-url pattern="/subscriptions.do*" access="ROLE_ADMIN_ADMINISTRATOR" requires-channel="http"/>
    <security:intercept-url pattern="/reports.do*" access="ROLE_ADMIN_ADMINISTRATOR" requires-channel="http"/>      
    <security:intercept-url pattern="/goCsvUpload" access="ROLE_ADMIN_ADMINISTRATOR" requires-channel="http"/>
    <security:intercept-url pattern="/admin_user.do*" access="ROLE_ADMIN_ADMINISTRATOR" requires-channel="http"/>
    <security:intercept-url pattern="/**" access="ROLE_ADMIN_RESEARCHER,ROLE_ADMIN_SUPERVISOR,ROLE_ADMIN_ADMINISTRATOR" requires-channel="http"/>

    <security:form-login login-page="/login.do" default-target-url="/home.do"
                         login-processing-url="/j_spring_security_check.do"
                         always-use-default-target="false"
                         authentication-failure-url="/login.do?login_error=1"/>
    <security:anonymous/>

    <!-- remember-me default is two weeks, alter attribute token-validity-seconds if needed -->
    <security:remember-me/>
    <security:logout logout-url="/logout.do" logout-success-url="/login.do?logout=ok"/>

</security:http>


<security:authentication-provider user-service-ref="userDetailsService">
    <security:password-encoder ref="passwordEncoder">
        <!-- Very important! id is used as salt also by the registration process -->
        <!-- Cannot use username because it might contain braces, forbidden by the std salt generator -->
        <security:salt-source user-property="id"/>
    </security:password-encoder>
</security:authentication-provider>

<bean id="passwordEncoder" class="org.springframework.security.providers.encoding.ShaPasswordEncoder"/>

<bean id="passwordGenerator" class="com.salebuild.util.PasswordGenerator"/>

<context:component-scan base-package="com.salebuild.security">
    <context:include-filter type="annotation"
                            expression="org.springframework.stereotype.Service"/>
</context:component-scan>

<security:global-method-security secured-annotations="enabled"/>

<bean class="java.lang.Boolean" id="customerAuthentication">
    <constructor-arg value="false"/>
</bean>

<tx:annotation-driven/>

4

0 回答 0