spring security4 security="none"小讲
来源:互联网 发布:黑米软件官方 编辑:程序博客网 时间:2024/05/28 23:23
在学习spring security4时,参考文档,spring-security.xml有如下片段:
<http pattern="/resources/**" security="none" /> <http pattern="/login" security="none"/> <http auto-config="true" use-expressions="true"> <!-- <intercept-url pattern="/login" access="permitAll" /> --> <intercept-url pattern="/about" access="permitAll" /> <intercept-url pattern="/**" access="hasRole('ROLE_USER')" /> <intercept-url pattern="/user/*" access="hasRole('ROLE_USER')" /> <intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN')"/> <custom-filter ref="ipFilter" before="FILTER_SECURITY_INTERCEPTOR"/> <remember-me remember-me-parameter="remember-me" token-validity-seconds="604800" data-source-ref="dataSource" user-service-ref="customjdbcUserService"/> <form-login login-page="/login" default-target-url="/" password-parameter="pwd" /> <logout logout-success-url="/about" /> </http>
Controller细节为:@Controllerpublic class BaseController {@Autowiredprivate SessionRegistry SessionRegistry;@RequestMapping("/")public String index(){return "index";}@RequestMapping("/login")public void login(){}
访问login时出现问题,表现为response为login页面,并没有进行登陆验证。
但当这样配置时,又可以正常登陆:
<http pattern="/resources/**" security="none" /><http pattern="/about" security="none" /><http auto-config="true"><strong><em><u><span style="color:#ff0000;"><intercept-url pattern="/login" access="permitAll" /></span></u></em></strong><intercept-url pattern="/user/**" access="hasRole('USER')" /><intercept-url pattern="/admin/**" access="hasRole('ADMIN')" /><!-- 这个要在最后一个拦截,否则会匹配上,/user,/admin都将失效(未验证) --><intercept-url pattern="/**" access="hasRole('USER')" /><session-management session-fixation-protection="migrateSession"><concurrency-control max-sessions="1"expired-url="/login?error=expired" /></session-management><custom-filter ref="ipFilter" before="FILTER_SECURITY_INTERCEPTOR" /><remember-me key="elim" remember-me-parameter="remember-me"token-validity-seconds="604800" data-source-ref="dataSource"user-service-ref="customjdbcUserService" /><form-login login-page="/login" default-target-url="/"password-parameter="pwd" /><logout logout-success-url="/about" /></http>
(原来的代码找不到了,这是做过一定功能增加及修正后的,重点在红色行)
这样可以正常验证并登录。
记录下登陆验证出现问题时debug级别的日志信息,如下:
22:32:42,905 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/login'; against '/resources/**'22:32:42,905 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/login'; against '/login'<strong><span style="color:#ff0000;">22:32:42,905 DEBUG FilterChainProxy:200 - /login has an empty filter list</span></strong>22:32:42,906 DEBUG DispatcherServlet:861 - DispatcherServlet with name 'springmvc' processing POST request for [/login]22:32:42,907 DEBUG RequestMappingHandlerMapping:294 - Looking up handler method for path /login22:32:42,908 DEBUG RequestMappingHandlerMapping:299 - Returning handler method [public void com.bay1ts.controller.BaseController.login()]22:32:42,908 DEBUG DefaultListableBeanFactory:248 - Returning cached instance of singleton bean 'baseController'22:32:42,909 DEBUG DispatcherServlet:1241 - Rendering view [org.springframework.web.servlet.view.JstlView: name 'login'; URL [/WEB-INF/jsps/login.jsp]] in DispatcherServlet with name 'springmvc'22:32:42,910 DEBUG DefaultListableBeanFactory:248 - Returning cached instance of singleton bean 'requestDataValueProcessor'22:32:42,910 DEBUG JstlView:166 - Forwarding to resource [/WEB-INF/jsps/login.jsp] in InternalResourceView 'login'22:32:42,919 DEBUG DispatcherServlet:996 - Successfully completed request可以发现:
第三行处,/login has an empty filter list。其实这是可以理解的,因为在拦截处,如果配置单独的<http>元素,并security="none",会让spring security放弃对这个pattern的所有处理,包括登陆验证,所以会出现上面描述的问题
而使用
<intercept-url pattern="/login" access="permitALL" />
<span style="font-family: Arial, Helvetica, sans-serif;">时,表示对这个pattern不进行权限限制,但还是需要经过spring security 的过滤器链的,即包括登陆验证的过滤器。</span>
下面是正常登录是的
22:56:22,763 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/login'; against '/resources/**'22:56:22,770 DEBUG FilterChainProxy:324 - /login at position 1 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'22:56:22,770 DEBUG HttpSessionSecurityContextRepository:171 - HttpSession returned null object for SPRING_SECURITY_CONTEXT22:56:22,770 DEBUG HttpSessionSecurityContextRepository:101 - No SecurityContext was available from the HttpSession: org.eclipse.jetty.server.session.HashedSession:1bf4hxwrtqrdvs3dedd70rh8o@1206903733. A new one will be created.22:56:22,770 DEBUG FilterChainProxy:324 - /login at position 2 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'22:56:22,770 DEBUG FilterChainProxy:324 - /login at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'22:56:22,771 DEBUG HstsHeaderWriter:128 - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@194582722:56:22,771 DEBUG FilterChainProxy:324 - /login at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter'22:56:22,772 DEBUG FilterChainProxy:324 - /login at position 5 of 15 in additional filter chain; firing Filter: 'LogoutFilter'22:56:22,772 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/login'; against '/logout'22:56:22,773 DEBUG FilterChainProxy:324 - /login at position 6 of 15 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'22:56:22,773 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/login'; against '/login'22:56:22,773 DEBUG UsernamePasswordAuthenticationFilter:211 - Request is to process authentication22:56:22,774 DEBUG ProviderManager:162 - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider22:56:22,778 DEBUG JdbcTemplate:693 - Executing prepared SQL query22:56:22,780 DEBUG JdbcTemplate:627 - Executing prepared SQL statement [select username,password,enabled from users where username = ?]22:56:22,788 DEBUG DataSourceUtils:110 - Fetching JDBC Connection from DataSource22:56:22,862 INFO AbstractPoolBackedDataSource:203 - Initializing c3p0 pool... com.mchange.v2.c3p0.ComboPooledDataSource [ acquireIncrement -> 3, acquireRetryAttempts -> 30, acquireRetryDelay -> 1000, autoCommitOnClose -> false, automaticTestTable -> null, breakAfterAcquireFailure -> false, checkoutTimeout -> 0, connectionCustomizerClassName -> null, connectionTesterClassName -> com.mchange.v2.c3p0.impl.DefaultConnectionTester, contextClassLoaderSource -> caller, dataSourceName -> 1hge1379c1b42a3w17r38ui|3c87fdf2, debugUnreturnedConnectionStackTraces -> false, description -> null, driverClass -> com.mysql.jdbc.Driver, extensions -> {}, factoryClassLocation -> null, forceIgnoreUnresolvedTransactions -> false, forceUseNamedDriverClass -> false, identityToken -> 1hge1379c1b42a3w17r38ui|3c87fdf2, idleConnectionTestPeriod -> 0, initialPoolSize -> 3, jdbcUrl -> jdbc:mysql://localhost:3306/jdbcdaoimpl?characterEncoding=UTF-8, maxAdministrativeTaskTime -> 0, maxConnectionAge -> 0, maxIdleTime -> 0, maxIdleTimeExcessConnections -> 0, maxPoolSize -> 15, maxStatements -> 0, maxStatementsPerConnection -> 0, minPoolSize -> 3, numHelperThreads -> 3, preferredTestQuery -> null, privilegeSpawnedThreads -> false, properties -> {user=******, password=******}, propertyCycle -> 0, statementCacheNumDeferredCloseThreads -> 0, testConnectionOnCheckin -> false, testConnectionOnCheckout -> false, unreturnedConnectionTimeout -> 0, userOverrides -> {}, usesTraditionalReflectiveProxies -> false ]22:56:22,895 DEBUG MConfig:198 - The configuration file for resource identifier '/mchange-commons.properties' could not be found. Skipping.java.io.FileNotFoundException: Resource not found at path '/mchange-commons.properties'. at com.mchange.v2.cfg.BasicPropertiesConfigSource.propertiesFromSource(BasicPropertiesConfigSource.java:64) at com.mchange.v2.cfg.BasicMultiPropertiesConfig.firstInit(BasicMultiPropertiesConfig.java:185) at com.mchange.v2.cfg.BasicMultiPropertiesConfig.<init>(BasicMultiPropertiesConfig.java:110) at com.mchange.v2.cfg.ConfigUtils.read(ConfigUtils.java:63) at com.mchange.v2.cfg.MConfig$CSManager.recreateFromKey(MConfig.java:153) at com.mchange.v1.cachedstore.NoCleanupCachedStore.find(NoCleanupCachedStore.java:63) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at com.mchange.v1.lang.Synchronizer$1.invoke(Synchronizer.java:58) at com.sun.proxy.$Proxy29.find(Unknown Source) at com.mchange.v2.cfg.MConfig.readVmConfig(MConfig.java:75) at com.mchange.v2.cfg.MConfig.readVmConfig(MConfig.java:81) at com.mchange.v2.resourcepool.BasicResourcePool.<clinit>(BasicResourcePool.java:60) ...//日志信息过长,这里是无关紧要的部分,省去了。 at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:695) at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:727) at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:737) at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:787) at org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl.loadUsersByUsername(JdbcDaoImpl.java:216) at org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl.loadUserByUsername(JdbcDaoImpl.java:173) at org.springframework.security.authentication.dao.DaoAuthenticationProvider.retrieveUser(DaoAuthenticationProvider.java:114) at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:143) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:192) at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:93) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:120) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:120) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1667) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1667) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:581) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1114) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:511) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1048) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:213) at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:109) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:119) at org.eclipse.jetty.server.Server.handle(Server.java:517) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:302) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:242) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:245) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95) at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:75) at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceAndRun(ExecuteProduceConsume.java:213) at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:147) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:654) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:572) at java.lang.Thread.run(Thread.java:745)22:56:22,992 DEBUG BasicResourcePool:195 - com.mchange.v2.resourcepool.BasicResourcePool@a87512f config: [start -> 3; min -> 3; max -> 15; inc -> 3; num_acq_attempts -> 30; acq_attempt_delay -> 1000; check_idle_resources_delay -> 0; max_resource_age -> 0; max_idle_time -> 0; excess_max_idle_time -> 0; destroy_unreturned_resc_time -> 0; expiration_enforcement_delay -> 0; break_on_acquisition_failure -> false; debug_store_checkout_exceptions -> false]22:56:22,992 DEBUG C3P0PooledConnectionPoolManager:195 - Created new pool for auth, username (masked): 'ro******'.22:56:22,992 DEBUG BasicResourcePool:195 - acquire test -- pool size: 0; target_pool_size: 3; desired target? 122:56:22,993 DEBUG BasicResourcePool:195 - awaitAvailable(): [unknown]22:56:23,568 DEBUG DataSourceUtils:327 - Returning JDBC Connection to DataSource22:56:23,570 DEBUG JdbcTemplate:693 - Executing prepared SQL query22:56:23,570 DEBUG JdbcTemplate:627 - Executing prepared SQL statement [select username,authority from authorities where username = ?]22:56:23,571 DEBUG DataSourceUtils:110 - Fetching JDBC Connection from DataSource22:56:23,573 DEBUG DataSourceUtils:327 - Returning JDBC Connection to DataSource22:56:23,578 DEBUG DefaultListableBeanFactory:248 - Returning cached instance of singleton bean 'sqlSessionFactory'22:56:23,578 DEBUG CompositeSessionAuthenticationStrategy:86 - Delegating to org.springframework.security.web.csrf.CsrfAuthenticationStrategy@70540f7b22:56:23,580 DEBUG CompositeSessionAuthenticationStrategy:86 - Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy@51ae01da22:56:23,581 DEBUG DefaultListableBeanFactory:248 - Returning cached instance of singleton bean 'sqlSessionFactory'22:56:23,582 DEBUG UsernamePasswordAuthenticationFilter:317 - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fec65191: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 1bf4hxwrtqrdvs3dedd70rh8o; Granted Authorities: ROLE_ADMIN, ROLE_USER22:56:23,582 DEBUG PersistentTokenBasedRememberMeServices:147 - Creating new persistent login for user admin22:56:23,586 DEBUG JdbcTemplate:908 - Executing prepared SQL update22:56:23,586 DEBUG JdbcTemplate:627 - Executing prepared SQL statement [insert into persistent_logins (username, series, token, last_used) values(?,?,?,?)]22:56:23,587 DEBUG DataSourceUtils:110 - Fetching JDBC Connection from DataSource22:56:23,593 DEBUG JdbcTemplate:918 - SQL update affected 1 rows22:56:23,594 DEBUG DataSourceUtils:327 - Returning JDBC Connection to DataSource22:56:23,594 DEBUG DefaultListableBeanFactory:248 - Returning cached instance of singleton bean 'sqlSessionFactory'22:56:23,595 DEBUG SavedRequestAwareAuthenticationSuccessHandler:110 - Using default Url: /22:56:23,595 DEBUG DefaultRedirectStrategy:39 - Redirecting to '/'22:56:23,595 DEBUG HttpSessionSecurityContextRepository:362 - SecurityContext 'org.springframework.security.core.context.SecurityContextImpl@fec65191: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fec65191: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 1bf4hxwrtqrdvs3dedd70rh8o; Granted Authorities: ROLE_ADMIN, ROLE_USER' stored to HttpSession: 'org.eclipse.jetty.server.session.HashedSession:m2b22n17auwqwwbhl5t9veiw@120690373322:56:23,596 DEBUG SecurityContextPersistenceFilter:105 - SecurityContextHolder now cleared, as request processing completed22:56:23,598 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/'; against '/resources/**'22:56:23,599 DEBUG FilterChainProxy:324 - / at position 1 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'22:56:23,599 DEBUG HttpSessionSecurityContextRepository:192 - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@fec65191: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fec65191: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 1bf4hxwrtqrdvs3dedd70rh8o; Granted Authorities: ROLE_ADMIN, ROLE_USER'22:56:23,599 DEBUG FilterChainProxy:324 - / at position 2 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'22:56:23,600 DEBUG FilterChainProxy:324 - / at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'22:56:23,600 DEBUG HstsHeaderWriter:128 - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@194582722:56:23,600 DEBUG FilterChainProxy:324 - / at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter'22:56:23,600 DEBUG FilterChainProxy:324 - / at position 5 of 15 in additional filter chain; firing Filter: 'LogoutFilter'22:56:23,600 DEBUG AntPathRequestMatcher:131 - Request 'GET /' doesn't match 'POST /logout22:56:23,601 DEBUG FilterChainProxy:324 - / at position 6 of 15 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'22:56:23,601 DEBUG AntPathRequestMatcher:131 - Request 'GET /' doesn't match 'POST /login22:56:23,601 DEBUG FilterChainProxy:324 - / at position 7 of 15 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'22:56:23,601 DEBUG FilterChainProxy:324 - / at position 8 of 15 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'22:56:23,601 DEBUG FilterChainProxy:324 - / at position 9 of 15 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'22:56:23,601 DEBUG FilterChainProxy:324 - / at position 10 of 15 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'22:56:23,602 DEBUG RememberMeAuthenticationFilter:153 - SecurityContextHolder not populated with remember-me token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fec65191: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 1bf4hxwrtqrdvs3dedd70rh8o; Granted Authorities: ROLE_ADMIN, ROLE_USER'22:56:23,602 DEBUG FilterChainProxy:324 - / at position 11 of 15 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'22:56:23,602 DEBUG AnonymousAuthenticationFilter:106 - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fec65191: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 1bf4hxwrtqrdvs3dedd70rh8o; Granted Authorities: ROLE_ADMIN, ROLE_USER'22:56:23,602 DEBUG FilterChainProxy:324 - / at position 12 of 15 in additional filter chain; firing Filter: 'SessionManagementFilter'22:56:23,602 DEBUG FilterChainProxy:324 - / at position 13 of 15 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'22:56:23,602 DEBUG FilterChainProxy:324 - / at position 14 of 15 in additional filter chain; firing Filter: 'IPRoleAuthenticationFilter'22:56:23,603 DEBUG FilterChainProxy:324 - / at position 15 of 15 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'22:56:23,603 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/'; against '/login'22:56:23,603 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/'; against '/about'22:56:23,603 DEBUG FilterSecurityInterceptor:218 - Secure object: FilterInvocation: URL: /; Attributes: [hasRole('ROLE_USER')]22:56:23,603 DEBUG FilterSecurityInterceptor:347 - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fec65191: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 1bf4hxwrtqrdvs3dedd70rh8o; Granted Authorities: ROLE_ADMIN, ROLE_USER22:56:23,608 DEBUG AffirmativeBased:65 - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@71ed560f, returned: 122:56:23,608 DEBUG FilterSecurityInterceptor:242 - Authorization successful22:56:23,608 DEBUG FilterSecurityInterceptor:255 - RunAsManager did not change Authentication object22:56:23,609 DEBUG FilterChainProxy:309 - / reached end of additional filter chain; proceeding with original chain22:56:23,609 DEBUG DispatcherServlet:861 - DispatcherServlet with name 'springmvc' processing GET request for [/]22:56:23,609 DEBUG RequestMappingHandlerMapping:294 - Looking up handler method for path /22:56:23,610 DEBUG RequestMappingHandlerMapping:299 - Returning handler method [public java.lang.String com.bay1ts.controller.BaseController.index()]22:56:23,610 DEBUG DefaultListableBeanFactory:248 - Returning cached instance of singleton bean 'baseController'22:56:23,611 DEBUG DispatcherServlet:947 - Last-Modified value for [/] is: -122:56:23,612 DEBUG DefaultListableBeanFactory:1616 - Invoking afterPropertiesSet() on bean with name 'index'22:56:23,612 DEBUG DispatcherServlet:1241 - Rendering view [org.springframework.web.servlet.view.JstlView: name 'index'; URL [/WEB-INF/jsps/index.jsp]] in DispatcherServlet with name 'springmvc'22:56:23,612 DEBUG DefaultListableBeanFactory:248 - Returning cached instance of singleton bean 'requestDataValueProcessor'22:56:23,613 DEBUG JstlView:166 - Forwarding to resource [/WEB-INF/jsps/index.jsp] in InternalResourceView 'index'22:56:23,764 DEBUG DispatcherServlet:996 - Successfully completed request22:56:23,764 DEBUG ExceptionTranslationFilter:116 - Chain processed normally22:56:23,765 DEBUG SecurityContextPersistenceFilter:105 - SecurityContextHolder now cleared, as request processing completed
这是去stackoverflow提问后明确出来的结论,原文:
http://stackoverflow.com/questions/33371389/spring-security4-login-doesnt-pass-through-any-filter
答题的人还指明了一些配置文件中的错误或者冗余信息。例如:
对url pattern的拦截顺序,pattern="/**"要放在最后拦截,因为他会匹配任何一个请求,并将对应的访问权限设置为其权限。比如
<intercept-url pattern="/login" access="permitAll" /> <intercept-url pattern="/about" access="permitAll" /> <intercept-url pattern="/**" access="hasRole('ROLE_USER')" /> <intercept-url pattern="/user/*" access="hasRole('ROLE_USER')" /> <intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN')"/>
当访问/admin/时,会匹配上/**,并检查其权限是否有USER权限,而并不需要ADMIN权限。从而屏蔽掉后面的模式。所以要将其配置在最后一个。另外在spring security 4+ 中,并不需要给权限加上ROLE_前缀。所以,修正后的配置文件应该像: <intercept-url pattern="/resources/**" access="permitAll" /> <intercept-url pattern="/login" access="permitAll" /> <intercept-url pattern="/about" access="permitAll" /> <intercept-url pattern="/user/*" access="hasRole('USER')" /> <intercept-url pattern="/admin/*" access="hasRole('ADMIN')"/> <intercept-url pattern="/**" access="hasRole('USER')" />
省略了ROLE_前缀。但是,省略前缀只能在配置文件中省略,在基于数据库的权限模型中,权限表中的值必须不能省略ROLE_前缀,否则会禁止访问!!这是血的教训,也可能是我其他的配置导致跟正常情况不同,但我更倾向于前者。
另外, /user/* 可以匹配上/user/12 但是不可以匹配上 /user/profile/12,所以,如果需要这种形式的url,需要将pattern更新 为/user/**。
新手,如有纰漏,请不吝指出。
0 1
- spring security4 security="none"小讲
- 【spring-security】InMemoryDaoImpl在spring-security4.x版本不存在
- 【spring-security】spring-security4安全框架配置详解
- spring security进级到3.1不再支持 filters="none"
- spring security4学习(二)spring-boot结合spring security实现http basic Authentication
- Spring Security 2 精讲
- Spring Security 小知识点
- spring security4 之 csrf
- spring security4 之 logout
- spring security4 之 SSO
- spring security4 详细配置
- Spring Security4 学习文档
- Spring Security 2 配置精讲
- [转贴]Spring Security 2 配置精讲
- Spring Security 2 配置精讲
- Spring Security 2 配置精讲.
- Spring Security 2 配置精讲
- Spring Security 2 配置精讲
- NoSQL详解
- XCode 7 debugger 编译时变量都为nil,但Nslog却有值
- 扩展虚拟机linux存储空间
- 一网打尽当下NoSQL类型、适用场景及使用公司
- 一个类通过id关联另一个类,前后台处理
- spring security4 security="none"小讲
- vector<string>转换为char*[]
- <初级>安卓中事件点击的几种方式
- 数据结构 — 6.顺序队列(循环)实现二叉树层次遍历
- 因滚动条出现而导致页面晃动的解决方案
- Android中Touch事件分发过程全解析
- 由于应用程序配置不正确,应用程序未能启动。重新安装应用程序可能会纠正这个问题
- 重复ip(单词计数)不同语言实现对比
- OOD软件架构设计原则