0
我想了解spring-web安全。爲此,我創建了一個帶有登錄頁面和兩個不同用戶的Web應用程序。春季網絡安全:成功登錄後無法訪問頁面
- 聯繫
- 用戶/客戶
的LoginController類處理三種類型的URL。
/*
Used to guide the user to login page
*/
@RequestMapping(value="/login/login.htm", method=RequestMethod.GET)
public ModelAndView login(){
ModelAndView modelAndView = new ModelAndView("login");
System.out.println("Rendering login page.................");
return modelAndView;
}
/*
Process the successful login and redirects user to Admin/User page as per the role.
*/
@RequestMapping(value="/login/success")
public ModelAndView loginSuccess(HttpServletRequest request){
ModelAndView modelAndView = new ModelAndView();
Set<String> roles = AuthorityUtils
.authorityListToSet(SecurityContextHolder.getContext()
.getAuthentication().getAuthorities());
System.out.println("ROLES: "+roles);
if(roles.contains("USER_ADMIN")){
modelAndView.setViewName("admin");
}else{
modelAndView.setViewName("user");
}
return modelAndView;
}
/*
Admin page has a hyper link to access the manage user page. It is handled here.
*/
@RequestMapping(value="/admin/manageUser.htm", method=RequestMethod.GET)
public ModelAndView manageUser(){
ModelAndView modelAndView = new ModelAndView("manageUser");
return modelAndView;
}
的web.xml
<context-param> <param-name>contextConfigLocation</param-name> <param-value>/WEB-INF/SecurityConfig.xml</param-value> </context-param> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <servlet> <servlet-name>mvc-dispatcher</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>mvc-dispatcher</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> <!-- Spring Security --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
春季安全,我與限制 '管理/' & '用戶/' 的所有URL。
<http auto-config="true"> <intercept-url pattern="/admin/**" access="hasRole('USER_ADMIN')"/> <intercept-url pattern="/user/**" access="hasRole('USER_GUEST')"/> <form-login login-page="/login/login.htm" username-parameter="userName" password-parameter="password" login-processing-url="/j_spring_security_check" authentication-success-forward-url="/login/success"/> <remember-me/> </http> <authentication-manager> <authentication-provider> <user-service> <user name="renju" password="12345" authorities="USER_ADMIN"/> <user name="guest" password="guest" authorities="USER_GUEST"/> </user-service> </authentication-provider> </authentication-manager>
當我嘗試 'http://localhost:8080/SpringWebSecurityThree-0.0.1-SNAPSHOT/login/login.htm',應用程序打開了自定義登錄頁面。
在給出管理員用戶名和密碼後,應用程序打開管理頁面。現在
當我點擊「ManageUser」,我期待應用帶我tothe manageuser頁。但它說'訪問被拒絕'。
我相信這是與給定攔截的URL的。
你能幫我解決這個問題嗎?
我張貼jsp頁面太..
的login.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
<c:if test="${not empty error}">
<c:out value="${error}"></c:out>
</c:if>
<form action="../j_spring_security_check" method="post">
<table>
<tr>
<td>UserName</td>
<td><input type="text" name="userName"></td>
</tr>
<tr>
<td>Password</td>
<td><input type="password" name="password"></td>
</tr>
<tr>
<td><input type="submit" name="LOGIN"></td>
</tr>
</table>
<input type="hidden" name="${_csrf.parameterName}"
value="${_csrf.token}" />
</form>
</body>
</html>
admin.jsp
manageuser.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<%@ page session="true" %>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
Managing User....
<br/>
Logged In UserType:
<%
out.println(session.getAttribute("userType"));
%>
</body>
</html>
謝謝。我沒有故意保留它。當我用http標籤來解決這個問題時,我保留了它。還試過'create-session ='always'。這也沒有奏效。刪除它。 – Renjith
@Renju請提供錯誤日誌以確定問題 – ScanQR
我在JBoss控制檯中沒有任何錯誤日誌。我相信這是我保留在安全配置中的一些條件是阻止它。所以沒有什麼可以錯誤的。 – Renjith