2

我是 Spring Security 的新手,遇到了问题。当我尝试访问一个预计会受到限制的页面时,它无论如何都会显示请求的页面,没有 403 也没有重定向到登录页面,日志中没有错误,什么都没有,就像根本没有实现 Spring Security 一样。

部署应用程序后,我在日志中看到以下内容,这告诉我 Spring Security 至少正在启动:

INFO: Checking whether login URL '/security/credentials' is accessible with your configuration

我试图将登录页面更改为受限制的页面,只是为了测试它实际上是受限制的,我得到以下信息,它告诉我它被正确地限制了,至少在模拟中是这样。

INFO: Checking whether login URL '/dashboard' is accessible with your configuration

org.springframework.security.config.http.DefaultFilterChainValidator checkLoginPageIsntProtected
WARNING: Anonymous access to the login page doesn't appear to be enabled. This is almost certainly an error. Please check your configuration allows unauthenticated access to the configured login page. (Simulated access was rejected: org.springframework.security.access.AccessDeniedException: Access is denied)

我有以下设置:

web.xml 

<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee 
         http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

   <welcome-file-list>
      <welcome-file>
         index.html
      </welcome-file>
   </welcome-file-list>

   <context-param>
      <param-name>javax.servlet.jsp.jstl.fmt.localizationContext</param-name>
      <param-value>messages</param-value>
   </context-param>

   <context-param>
      <param-name>contextConfigLocation</param-name>
      <param-value>
        WEB-INF/applicationContext.xml
    </param-value>
   </context-param>

   <listener>
      <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
   </listener>

   <filter>
      <filter-name>UrlRewriteFilter</filter-name>
      <filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
      <init-param>
         <param-name>logLevel</param-name>
         <param-value>TRACE</param-value>
      </init-param>
   </filter>
   <filter-mapping>
      <filter-name>UrlRewriteFilter</filter-name>
      <url-pattern>/*</url-pattern>
      <dispatcher>REQUEST</dispatcher>
   </filter-mapping>


   <filter>
      <filter-name>springSecurityFilterChain</filter-name>
      <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
   </filter>
   <filter-mapping>
      <filter-name>springSecurityFilterChain</filter-name>
      <url-pattern>/*</url-pattern>
   </filter-mapping>

   <servlet>
      <servlet-name>spring</servlet-name>
      <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
      <init-param>
         <param-name>contextConfigLocation</param-name>
         <param-value>
            /WEB-INF/applicationContext.xml
        </param-value>
      </init-param>
      <load-on-startup>1</load-on-startup>

   </servlet>
   <servlet-mapping>
      <servlet-name>spring</servlet-name>
      <url-pattern>/app/*</url-pattern>
   </servlet-mapping>
</web-app>

Spring Security 配置文件是从我的 applicationContext.xml 导入的。

弹簧安全.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
   xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="
      http://www.springframework.org/schema/beans
      http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
      http://www.springframework.org/schema/security
      http://www.springframework.org/schema/security/spring-security-3.1.xsd">

   <http auto-config="true" use-expressions="true">
      <form-login 
         login-page="/security/credentials"
         login-processing-url="/security/signin" 
         default-target-url="/dashboard"
         authentication-failure-url="/security/signin_failed" />
      <intercept-url pattern="/resources/**" access="permitAll"/>
      <intercept-url pattern="/security/**" access="permitAll" />
      <intercept-url pattern="/favicon.ico" access="permitAll"/>
      <intercept-url pattern="/**" access="denyAll"/>
      <logout logout-success-url="/security/signout" />
      <remember-me />
   </http>

   <authentication-manager alias="authenticationManager">
      <authentication-provider>
         <user-service>
            <user name="test" password="password" authorities="ROLE_USER" />
         </user-service>
      </authentication-provider>
   </authentication-manager>
</beans:beans>
4

2 回答 2

1

Spring 的行为是正确的,因为您实际上是在告诉 Spring/security/**请求不需要身份验证(access="permitAll"):

...
<intercept-url pattern="/security/**" access="permitAll" />
...

如果您想将访问限制为仅经过身份验证的用户,那么您可以指定:

...
<intercept-url pattern="/security/**" access="isAuthenticated()" />
...

或者,如果您想限制对特定角色的访问(替换ROLE_XXX为您的特定角色):

...
<intercept-url pattern="/security/**" access="hasRole('ROLE_XXX')" />
...

请注意,与登录相关的 URL 不能被限制(原因很明显): 

login-page="/security/credentials"
     login-processing-url="/security/signin" 
     default-target-url="/dashboard"
     authentication-failure-url="/security/signin_failed" />

因此,要么将它们更改为以类似的方式开始,要么为它们/login//security/的每一个添加特定的拦截 URL(如果你必须使用它们):

...
<intercept-url pattern="/security/credentials" access="permitAll" />
<intercept-url pattern="/security/signin" access="permitAll" />
<intercept-url pattern="/security/signin_failed" access="permitAll" />
<intercept-url pattern="/security/**" access="isAuthenticated()" />
...

更具体的 URL 应该首先声明,因为 Spring 使用它从顶部找到的第一条规则。

于 2013-09-23T08:53:59.003 回答
0

我建议在删除<remember-me />标签后尝试,或者先删除所有 cookie。由于现有的 cookie,您可以访问 /dashboard

编辑: 您在 spring security 之前配置了 UrlRewriteFilter,检查给 spring security 过滤器的最终 url 是什么,或者您可以在禁用 UrlRewriteFilter 之后尝试?

于 2013-09-26T08:49:46.860 回答