gtl*_*wig 5 java spring spring-mvc spring-security
我在尝试登录我的应用程序时遇到了一些令人尴尬的问题。
我的 Spring 安全protected void configure(HttpSecurity http) throws Exception定义为:
protected void configure(HttpSecurity http) throws Exception {
System.out.println(http);
http
.formLogin()
.loginPage("/login")
.usernameParameter("ssoId")
.passwordParameter("password")
.and()
.authorizeRequests()
// I admit that this section needs some work
.antMatchers("/", "/home/*", "/alert/*", "/scheduler/*", "/agent/*", "/ftp/*", "/smtp/*", "/sql/*").access("hasRole('USER')")
.antMatchers("/benefit/*", "/client/*", "/contract/*", "/role/*", "/structure/*", "/term/*").access("hasRole('USER')")
.antMatchers("/", "/home/*", "/alert/*", "/scheduler/*", "/agent/*", "/ftp/*", "/smtp/*", "/sql/*").access("hasRole('ADMIN')")
.antMatchers("/benefit/*", "/client/*", "/contract/*", "/role/*", "/structure/*", "/term/*").access("hasRole('ADMIN')")
.antMatchers("/admin/**").access("hasRole('ADMIN')")
.antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')")
.and()
.rememberMe().rememberMeParameter("remember-me").tokenRepository(persistentTokenRepository()).tokenValiditySeconds(86400)
.and()
.csrf()
.and()
.exceptionHandling().accessDeniedPage("/accessDenied");
}
应用程序很好地加载并进入/login页面。但是当我尝试使用用户登录master并提供正确的密码时,它只是返回到该/login页面。
我的登录控制器是:
@Controller
public class LoginController {
@Autowired
UserProfileService userProfileService;
@Autowired
UserService userService;
@RequestMapping(value = { "/", "/home", "/welcome" }, method = RequestMethod.GET)
public String index(Principal principal) {
return principal != null ? "home/homeSignedIn" : "home/homeNotSignedIn";
}
@RequestMapping(value = "/login")
public String loginPage() {
return "login";
}
@RequestMapping(value="/logout", method = RequestMethod.GET)
public String logoutPage (HttpServletRequest request, HttpServletResponse response) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth != null){
new SecurityContextLogoutHandler().logout(request, response, auth);
}
return "redirect:/login?logout";
}
private String getPrincipal(){
String userName = null;
Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
if (principal instanceof UserDetails) {
userName = ((UserDetails)principal).getUsername();
} else {
userName = principal.toString();
}
return userName;
}
@ModelAttribute("roles")
public List<UserProfile> initializeProfiles() {
return userProfileService.findAll();
}
}
User
@Entity
@Table(name="user")
public class User extends BasePojo {
@NotEmpty
@Column(name="sso_id", unique=true, nullable=false)
private String ssoId;
@NotEmpty
@Column(name="password", nullable=false)
private String password;
@NotEmpty
@Column(name="first_name")
private String firstName;
@NotEmpty
@Column(name="last_name")
private String lastName;
@Column(name="email", nullable=false)
private String email;
@Column(name="state", nullable=false)
private String state=UserState.ACTIVE.getState();
@ManyToMany(fetch = FetchType.EAGER)
@Fetch(FetchMode.SELECT)
@JoinTable(name = "hrm_user_user_profile",
joinColumns = { @JoinColumn(name = "id_user", referencedColumnName="id") },
inverseJoinColumns = { @JoinColumn(name = "id_profile", referencedColumnName="id") })
@Cascade(org.hibernate.annotations.CascadeType.ALL)
private Set<UserProfile> userProfiles;
UserProfile:
@Entity
@Table(name="user_profile")
public class UserProfile extends BasePojo {
private static final long serialVersionUID = 1L;
@Column(name="type", length=15, unique=true, nullable=false)
private String type = UserProfileType.USER.getUserProfileType();
// Constructor used only for initial data loading, not used after
public UserProfile() {
}
// Constructor used only for initial data loading, not used after
public UserProfile(String type) {
super();
this.type = type;
}
public String getType() {
return type;
}
public void setType(String type) {
this.type = type;
}
}
UserState:
public enum UserState {
LOCKED("state.locked"),
INACTIVE("state.inactive"),
ACTIVE("state.active");
String state;
private UserState(final String state){
this.state = state;
}
public String getState(){
return state;
}
我在这里迷路了。我能得到一些帮助吗?
小智 3
我相信您已经正确验证了用户身份。但是,您的 /login POST 处理程序方法需要确保后续请求的标头中包含 cookie 或令牌。
这样,您设置的规则如下
.antMatchers("/", "/home/*", "/alert/*", "/scheduler/*", "/agent/*", "/ftp/*", "/smtp/*", "/sql/*").access("hasRole('USER')")
.antMatchers("/benefit/*", "/client/*", "/contract/*", "/role/*", "/structure/*", "/term/*").access("hasRole('USER')")
.antMatchers("/", "/home/*", "/alert/*", "/scheduler/*", "/agent/*", "/ftp/*", "/smtp/*", "/sql/*").access("hasRole('ADMIN')")
.antMatchers("/benefit/*", "/client/*", "/contract/*", "/role/*", "/structure/*", "/term/*").access("hasRole('ADMIN')")
.antMatchers("/admin/**").access("hasRole('ADMIN')")
.antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')")
例如,假设用户正在尝试访问/home。由于用户未经过身份验证,因此他被重定向到登录页面。用户输入用户名和密码,现在已通过身份验证。完成此操作后,Spring Security 默认情况下会将用户重定向到返回 URL /home。默认情况下,Spring Security 会在响应中添加一个 Cookie,以便后续的每个请求都在请求中包含该 Cookie。我相信您的情况不会发生这种情况。我想更多地了解您的 spring 安全配置。用户身份验证是如何进行的?它是内存中的身份验证吗?或者数据源认证?
| 归档时间: |
|
| 查看次数: |
6903 次 |
| 最近记录: |