我设置了一个 JSF (SpringFaces) 和 Spring Security 应用程序,在其中保护了 applicationContext-security.xml 中的 customer.jsf 页面:
<http auto-config="true" access-denied-page="/accessDenied.jsp">
<intercept-url pattern="/pages/customer**" access="ROLE_SUPERVISOR,ROLE_TELLER" />
<form-login login-processing-url="/j_spring_security_check"
login-page="/pages/login.jsf" default-target-url="/"
authentication-failure-url="/pages/login.jsf" />
<logout logout-url="/logout*" logout-success-url="/" />
</http>
在 main.jsf 页面上,我有一个指向 customer.jsf 的链接。当我单击此链接时,客户页面将打开而无需安全检查!这是一些日志输出:
DEBUG org.springframework.security.web.FilterChainProxy - /pages/main.jsf at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@10de3a. A new one will be created.
DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - requestURI: arg1=/TestProject/pages/customer.jsf; arg2=/TestProject/pages/main.jsf (property not equals)
DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/pages/main.jsf'; against '/pages/customer**'
DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Public object - authentication not attempted
但是当我已经在客户页面上,然后单击指向客户页面本身的链接时,我会得到登录页面和以下日志输出:
DEBUG org.springframework.security.web.FilterChainProxy - /pages/customer.jsf at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@10de3a. A new one will be created.
DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - requestURL: arg1=http://localhost:8080/TestProject/pages/customer.jsf; arg2=http://localhost:8080/TestProject/pages/customer.jsf (property equals)
DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/pages/customer.jsf'; against '/pages/customer**'
DEBUG org.springframework.security.web.access.intercept.FilterScurityInterceptor - Secure object: FilterInvocation: URL: /pages/customer.jsf; Attributes: [ROLE_SUPERVISOR, ROLE_TELLER]
似乎,源页面(我来自哪里)经过安全检查,而不是目标页面(我想去哪里)。
这是 web.xml 中的一些配置:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
应用程序中的所有其他页面都不受保护并且工作正常。有什么提示有什么问题吗?
谢谢!亚历克斯