0

我有非常奇怪的春季安全行为。

安全配置:

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.1.xsd">
   <http use-expressions="true" >   

        <intercept-url pattern="/home.jsp" access="permitAll" /> 

        <intercept-url pattern="/*" access="isAuthenticated()"/> 


        <form-login login-page="/"
            authentication-failure-url="/loginFailed" default-target-url="/index" />
        <logout logout-success-url="/logOut" />
    </http>
    <authentication-manager>
        <authentication-provider ref="provider" /> 
    </authentication-manager>

</beans:beans>

控制器:

@Controller
public class HomeController {

  @RequestMapping("/index")
public String success(Model model) {
    System.out.println("/index");
    return "index";
}
@RequestMapping(value="/loginFailed", method = RequestMethod.GET )
public String loginError(Model model, RedirectAttributes redirectAttributes ) throws Exception {
    redirectAttributes.addAttribute("message", "incorrect combination of login and password");
    System.out.println("/loginFailed");
    return "redirect:home.jsp";
}

@RequestMapping(value="/logOut", method = RequestMethod.GET )
public String logOut(Model model, RedirectAttributes redirectAttributes) throws Exception {
    redirectAttributes.addAttribute("message", "success logout");
    System.out.println("/logOut");
    return "redirect:home.jsp";
}
    ...
}

如果在 url http://localhost:8080/ui/(根应用程序 url)上,我输入

第一项活动:

1 输入正确的密码 --> http://localhost:8080/ui/index 在日志中我看到了/index isAuthenttificated() == true

2 按 logOut --> http://localhost:8080/ui/ 并且日志为空isAuthenttificated() == false

3 输入正确的密码 -->http://localhost:8080/ui/home.jsp?message=success+logout/logOut在控制台中看到isAuthenttificated() == true

4按logOut->转到 http://localhost:8080/ui/ 并且日志为空isAuthenttificated() == false

5 输入正确的密码 --> go to http://localhost:8080/ui/ and log is emptyisAuthenttificated() == false

我不明白 spring security 选择使用哪个控制器的规则。

我认为 spring 调用了正确的 servlet,但使用了错误的 url。

4

1 回答 1

0

我注意到您可能忘记添加以下配置

    <intercept-url pattern="/loginFailed" access="permitAll" /> 
    <intercept-url pattern="/" access="permitAll" /> 

或者至少所有与登录/错误页面相关的页面通常都应该免于身份验证。

于 2013-10-07T15:55:49.900 回答