我在 JBoss WildFly 10.0.0.CR2 上使用 Spring 3.2.11.RELEASE 和 Spring Security 3.1.4.RELEASE。我在我的应用程序上下文中设置了以下内容……
<beans:bean id="springboardUsernamePasswordUrlAuthenticationFilter" class="org.mainco.subco.core.security.SubcoUsernamePasswordUrlAuthenticationFilter">
<beans:property name="filterProcessesUrl" value="/j_spring_security_check"/>
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="authenticationFailureHandler">
<beans:bean class="org.mainco.subco.myproject.security.SubcoAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/login/failure"/>
<beans:property name="userService" ref="userService" />
</beans:bean>
</beans:property>
<beans:property name="authenticationSuccessHandler">
<beans:bean class="org.mainco.subco.myproject.security.SubcoAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/success"/>
<beans:property name="userService" ref="userService" />
<beans:property name="sessionService" ref="sessionService" />
</beans:bean>
</beans:property>
</beans:bean>
我注意到当我输入错误的用户名/密码组合时,会调用失败处理程序,当我输入正确的用户名/密码组合时,会调用成功处理程序,它最终会调用以下方法……</p>
@RequestMapping(value = "/success")
public String authenticate(final Principal principal)
{
…
}
这是在我的 web.xml 中配置的。请注意,Spring 安全过滤器会捕获有问题的成功 URL……</p>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CSRFGuard</filter-name>
<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
但是,当调用上述方法时,“principal”对象为空,所以我无法确定谁登录了。Spring 中的什么机制在成功登录时设置 Principal 对象?我怎样才能弄清楚为什么我似乎能够正确登录,但尚未设置身份验证对象?