我在弹簧安全性方面遇到问题并显示错误消息
这是我的root-context.xml中的内容
`<context:property-placeholder location="classpath:config.properties" />
<!-- Register the Customer.properties -->
<bean id="messageSource"
class="org.springframework.context.support.ResourceBundleMessageSource">
<property name="basename" value="mymessages" />
</bean>
<security:http auto-config='true'>
<security:intercept-URL pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-URL pattern="/**" access="ROLE_USER" />
<security:form-login login-page='/login' default-target-url="/"
authentication-failure-URL="/loginfailed"/>
<security:logout logout-success-url="/" logout-URL="/j_spring_security_logout" />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="billy" password="123456" authorities="ROLE_USER" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>`
在我的web.xml中是
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<URL-pattern>/*</URL-pattern>
</filter-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
而我的.jsp是
<body>
<%@ include file="include/login1.jsp"%>
<c:if test="${not empty error}">
<div class="errorblock">Your login attempt was not successful, try again.<br/> Caused :
</div>
</c:if>
</body>
</html>
当我第一次使用错误的用户凭据登录时,它只会重新加载登录页面。然后,如果我使用正确的登录凭据登录,它将以文本“您的登录尝试未成功,请重试。原因:”加载登录,但在原因之后没有显示错误凭据的春季消息:
对此事的任何帮助,我们深表感谢
最佳答案
验证失败的URL似乎需要验证。
<security:intercept-URL pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-URL pattern="/**" access="ROLE_USER"/>
此配置将仅允许未经身份验证的人员访问/ login页面,而不能访问/ loginfailed页面。尝试将登录拦截URL更改为:
<security:intercept-URL pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-URL pattern="/**" access="ROLE_USER"/>
或者,您可以仅添加另一个专门拦截/ loginfailed网址的拦截网址。
可能发生的情况是,您第一次尝试登录时,它会将您重定向到登录失败的页面“ / loginfailed”,由于身份验证失败,这将导致另一个重定向回到登录页面。然后,当您正确登录时,它会将您重定向回“ / loginfailed”页面,因为这是登录重定向之前的原始请求。
您可以使用另一个参数,该参数将始终将您发送到默认年龄...
<form-login login-page='/login' default-target-url='/'
authentication-failure-url="/loginfailed" always-use-default-target='true' />
试一试,看看是否有效。
编辑:这是安全设置的完整示例。在此设置中,我使用的是其他http声明,而不是其他的拦截URL。我的login.jsp会根据login_error参数更改其内容(例如,login_error = 1会显示一条消息,提示“用户名或密码不正确”,login_error = 2会显示一条消息,表明会话已超时,请重新登录)。
<!-- No security on js,css,image and other static resources -->
<http pattern="/resources/**" security="none" />
<!-- No security on error pages -->
<http pattern="/error/**" security="none" />
<!-- No security on pages starting with login -->
<http pattern="/login*" security="none" />
<http auto-config='true'>
<!-- Everything else requires ROLE_USER -->
<intercept-url pattern="/**" access="ROLE_USER" />
<access-denied-handler error-page="/error/403"/>
<!-- Custom login page -->
<form-login login-page='/login' default-target-url='/'
authentication-failure-url="/login?login_error=1"
always-use-default-target='false' />
<!-- Allow user to stay logged in -->
<remember-me />
<!-- Custom logout page and remove the session id cookie -->
<logout logout-url='/logout' delete-cookies="JSESSIONID"/>
<session-management>
<concurrency-control max-sessions="1" error-if-maximum-exceeded="false" />
</session-management>
<!-- Custom session timeout page -->
<session-management invalid-session-url="/login?login_error=2" />
</http>