我有非常奇怪的春季安全行为。
安全配置:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http use-expressions="true" >
<intercept-url pattern="/home.jsp" access="permitAll" />
<intercept-url pattern="/*" access="isAuthenticated()"/>
<form-login login-page="/"
authentication-failure-url="/loginFailed" default-target-url="/index" />
<logout logout-success-url="/logOut" />
</http>
<authentication-manager>
<authentication-provider ref="provider" />
</authentication-manager>
</beans:beans>
控制器:
@Controller
public class HomeController {
@RequestMapping("/index")
public String success(Model model) {
System.out.println("/index");
return "index";
}
@RequestMapping(value="/loginFailed", method = RequestMethod.GET )
public String loginError(Model model, RedirectAttributes redirectAttributes ) throws Exception {
redirectAttributes.addAttribute("message", "incorrect combination of login and password");
System.out.println("/loginFailed");
return "redirect:home.jsp";
}
@RequestMapping(value="/logOut", method = RequestMethod.GET )
public String logOut(Model model, RedirectAttributes redirectAttributes) throws Exception {
redirectAttributes.addAttribute("message", "success logout");
System.out.println("/logOut");
return "redirect:home.jsp";
}
...
}
如果在 url http://localhost:8080/ui/
(根应用程序 url)上,我输入
第一项活动:
1 输入正确的密码 --> http://localhost:8080/ui/index
在日志中我看到了/index
isAuthenttificated() == true
2 按 logOut --> http://localhost:8080/ui/
并且日志为空isAuthenttificated() == false
3 输入正确的密码 -->http://localhost:8080/ui/home.jsp?message=success+logout
我/logOut
在控制台中看到isAuthenttificated() == true
4按logOut->转到 http://localhost:8080/ui/
并且日志为空isAuthenttificated() == false
5 输入正确的密码 --> go to http://localhost:8080/ui/
and log is emptyisAuthenttificated() == false
我不明白 spring security 选择使用哪个控制器的规则。
我认为 spring 调用了正确的 servlet,但使用了错误的 url。