spring security4 security="none"小讲

最新推荐文章于 2022-04-13 18:28:52 发布
最新推荐文章于 2022-04-13 18:28:52 发布
阅读量7.2k 收藏 2
点赞数
分类专栏: Spring Security
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/Chenctrl/article/details/49489783
版权

在学习spring security4时,参考文档,spring-security.xml有如下片段:

    <http pattern="/resources/**" security="none" />
    <http pattern="/login" security="none"/>
    <http auto-config="true" use-expressions="true">
        <!-- <intercept-url pattern="/login" access="permitAll" /> -->
        <intercept-url pattern="/about" access="permitAll" />
        <intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
        <intercept-url pattern="/user/*" access="hasRole('ROLE_USER')" />
        <intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN')"/>
        <custom-filter ref="ipFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
        <remember-me remember-me-parameter="remember-me" token-validity-seconds="604800" data-source-ref="dataSource" user-service-ref="customjdbcUserService"/>
        <form-login login-page="/login" default-target-url="/"
            password-parameter="pwd" />
        <logout logout-success-url="/about" />
    </http>
Controller细节为: 

	@Controller
public class BaseController {
	@Autowired
	private SessionRegistry SessionRegistry;
	@RequestMapping("/")
	public String index(){
		return "index";
	}
	@RequestMapping("/login")
	public void login(){
		
	}

访问login时出现问题,表现为response为login页面,并没有进行登陆验证。

但当这样配置时,又可以正常登陆:

<http pattern="/resources/**" security="none" />
	<http pattern="/about" security="none" />
	<http auto-config="true">
		<strong><em><u><span style="color:#ff0000;"><intercept-url pattern="/login" access="permitAll" /></span></u></em></strong>
		<intercept-url pattern="/user/**" access="hasRole('USER')" />
		<intercept-url pattern="/admin/**" access="hasRole('ADMIN')" />
		<!-- 这个要在最后一个拦截,否则会匹配上,/user,/admin都将失效(未验证) -->
		<intercept-url pattern="/**" access="hasRole('USER')" />
		<session-management session-fixation-protection="migrateSession">
			<concurrency-control max-sessions="1"
				expired-url="/login?error=expired" />
		</session-management>
		<custom-filter ref="ipFilter" before="FILTER_SECURITY_INTERCEPTOR" />
		<remember-me key="elim" remember-me-parameter="remember-me"
			token-validity-seconds="604800" data-source-ref="dataSource"
			user-service-ref="customjdbcUserService" />
		<form-login login-page="/login" default-target-url="/"
			password-parameter="pwd" />
		<logout logout-success-url="/about" />
	</http>

(原来的代码找不到了,这是做过一定功能增加及修正后的,重点在红色行)

这样可以正常验证并登录。


记录下登陆验证出现问题时debug级别的日志信息,如下:

22:32:42,905 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/login'; against '/resources/**'
22:32:42,905 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/login'; against '/login'
<strong><span style="color:#ff0000;">22:32:42,905 DEBUG FilterChainProxy:200 - /login has an empty filter list</span></strong>
22:32:42,906 DEBUG DispatcherServlet:861 - DispatcherServlet with name 'springmvc' processing POST request for [/login]
22:32:42,907 DEBUG RequestMappingHandlerMapping:294 - Looking up handler method for path /login
22:32:42,908 DEBUG RequestMappingHandlerMapping:299 - Returning handler method [public void com.bay1ts.controller.BaseController.login()]
22:32:42,908 DEBUG DefaultListableBeanFactory:248 - Returning cached instance of singleton bean 'baseController'
22:32:42,909 DEBUG DispatcherServlet:1241 - Rendering view [org.springframework.web.servlet.view.JstlView: name 'login'; URL [/WEB-INF/jsps/login.jsp]] in DispatcherServlet with name 'springmvc'
22:32:42,910 DEBUG DefaultListableBeanFactory:248 - Returning cached instance of singleton bean 'requestDataValueProcessor'
22:32:42,910 DEBUG JstlView:166 - Forwarding to resource [/WEB-INF/jsps/login.jsp] in InternalResourceView 'login'
22:32:42,919 DEBUG DispatcherServlet:996 - Successfully completed request
可以发现:

第三行处,/login has an empty filter list。其实这是可以理解的,因为在拦截处,如果配置单独的<http>元素,并security="none",会让spring security放弃对这个pattern的所有处理,包括登陆验证,所以会出现上面描述的问题

而使用

<intercept-url pattern="/login" access="permitALL" />
<span style="font-family: Arial, Helvetica, sans-serif;">时,表示对这个pattern不进行权限限制,但还是需要经过spring security 的过滤器链的,即包括登陆验证的过滤器。</span>

下面是正常登录是的


22:56:22,763 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/login'; against '/resources/**'
22:56:22,770 DEBUG FilterChainProxy:324 - /login at position 1 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
22:56:22,770 DEBUG HttpSessionSecurityContextRepository:171 - HttpSession returned null object for SPRING_SECURITY_CONTEXT
22:56:22,770 DEBUG HttpSessionSecurityContextRepository:101 - No SecurityContext was available from the HttpSession: org.eclipse.jetty.server.session.HashedSession:1bf4hxwrtqrdvs3dedd70rh8o@1206903733. A new one will be created.
22:56:22,770 DEBUG FilterChainProxy:324 - /login at position 2 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
22:56:22,770 DEBUG FilterChainProxy:324 - /login at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
22:56:22,771 DEBUG HstsHeaderWriter:128 - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@1945827
22:56:22,771 DEBUG FilterChainProxy:324 - /login at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter'
22:56:22,772 DEBUG FilterChainProxy:324 - /login at position 5 of 15 in additional filter chain; firing Filter: 'LogoutFilter'
22:56:22,772 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/login'; against '/logout'
22:56:22,773 DEBUG FilterChainProxy:324 - /login at position 6 of 15 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
22:56:22,773 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/login'; against '/login'
22:56:22,773 DEBUG UsernamePasswordAuthenticationFilter:211 - Request is to process authentication
22:56:22,774 DEBUG ProviderManager:162 - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
22:56:22,778 DEBUG JdbcTemplate:693 - Executing prepared SQL query
22:56:22,780 DEBUG JdbcTemplate:627 - Executing prepared SQL statement [select username,password,enabled from users where username = ?]
22:56:22,788 DEBUG DataSourceUtils:110 - Fetching JDBC Connection from DataSource
22:56:22,862  INFO AbstractPoolBackedDataSource:203 - Initializing c3p0 pool... com.mchange.v2.c3p0.ComboPooledDataSource [ acquireIncrement -> 3, acquireRetryAttempts -> 30, acquireRetryDelay -> 1000, autoCommitOnClose -> false, automaticTestTable -> null, breakAfterAcquireFailure -> false, checkoutTimeout -> 0, connectionCustomizerClassName -> null, connectionTesterClassName -> com.mchange.v2.c3p0.impl.DefaultConnectionTester, contextClassLoaderSource -> caller, dataSourceName -> 1hge1379c1b42a3w17r38ui|3c87fdf2, debugUnreturnedConnectionStackTraces -> false, description -> null, driverClass -> com.mysql.jdbc.Driver, extensions -> {}, factoryClassLocation -> null, forceIgnoreUnresolvedTransactions -> false, forceUseNamedDriverClass -> false, identityToken -> 1hge1379c1b42a3w17r38ui|3c87fdf2, idleConnectionTestPeriod -> 0, initialPoolSize -> 3, jdbcUrl -> jdbc:mysql://localhost:3306/jdbcdaoimpl?characterEncoding=UTF-8, maxAdministrativeTaskTime -> 0, maxConnectionAge -> 0, maxIdleTime -> 0, maxIdleTimeExcessConnections -> 0, maxPoolSize -> 15, maxStatements -> 0, maxStatementsPerConnection -> 0, minPoolSize -> 3, numHelperThreads -> 3, preferredTestQuery -> null, privilegeSpawnedThreads -> false, properties -> {user=******, password=******}, propertyCycle -> 0, statementCacheNumDeferredCloseThreads -> 0, testConnectionOnCheckin -> false, testConnectionOnCheckout -> false, unreturnedConnectionTimeout -> 0, userOverrides -> {}, usesTraditionalReflectiveProxies -> false ]
22:56:22,895 DEBUG MConfig:198 - The configuration file for resource identifier '/mchange-commons.properties' could not be found. Skipping.
java.io.FileNotFoundException: Resource not found at path '/mchange-commons.properties'.
    at com.mchange.v2.cfg.BasicPropertiesConfigSource.propertiesFromSource(BasicPropertiesConfigSource.java:64)
    at com.mchange.v2.cfg.BasicMultiPropertiesConfig.firstInit(BasicMultiPropertiesConfig.java:185)
    at com.mchange.v2.cfg.BasicMultiPropertiesConfig.<init>(BasicMultiPropertiesConfig.java:110)
    at com.mchange.v2.cfg.ConfigUtils.read(ConfigUtils.java:63)
    at com.mchange.v2.cfg.MConfig$CSManager.recreateFromKey(MConfig.java:153)
    at com.mchange.v1.cachedstore.NoCleanupCachedStore.find(NoCleanupCachedStore.java:63)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:497)
    at com.mchange.v1.lang.Synchronizer$1.invoke(Synchronizer.java:58)
    at com.sun.proxy.$Proxy29.find(Unknown Source)
    at com.mchange.v2.cfg.MConfig.readVmConfig(MConfig.java:75)
    at com.mchange.v2.cfg.MConfig.readVmConfig(MConfig.java:81)
    at com.mchange.v2.resourcepool.BasicResourcePool.<clinit>(BasicResourcePool.java:60)
    ...//日志信息过长,这里是无关紧要的部分,省去了。
    at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:695)
    at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:727)
    at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:737)
    at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:787)
    at org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl.loadUsersByUsername(JdbcDaoImpl.java:216)
    at org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl.loadUserByUsername(JdbcDaoImpl.java:173)
    at org.springframework.security.authentication.dao.DaoAuthenticationProvider.retrieveUser(DaoAuthenticationProvider.java:114)
    at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:143)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:192)
    at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:93)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:120)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:120)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1667)
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1667)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:581)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
    at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226)
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1114)
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:511)
    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1048)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
    at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:213)
    at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:109)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:119)
    at org.eclipse.jetty.server.Server.handle(Server.java:517)
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:302)
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:242)
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:245)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
    at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:75)
    at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceAndRun(ExecuteProduceConsume.java:213)
    at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:147)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:654)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:572)
    at java.lang.Thread.run(Thread.java:745)
22:56:22,992 DEBUG BasicResourcePool:195 - com.mchange.v2.resourcepool.BasicResourcePool@a87512f config: [start -> 3; min -> 3; max -> 15; inc -> 3; num_acq_attempts -> 30; acq_attempt_delay -> 1000; check_idle_resources_delay -> 0; max_resource_age -> 0; max_idle_time -> 0; excess_max_idle_time -> 0; destroy_unreturned_resc_time -> 0; expiration_enforcement_delay -> 0; break_on_acquisition_failure -> false; debug_store_checkout_exceptions -> false]
22:56:22,992 DEBUG C3P0PooledConnectionPoolManager:195 - Created new pool for auth, username (masked): 'ro******'.
22:56:22,992 DEBUG BasicResourcePool:195 - acquire test -- pool size: 0; target_pool_size: 3; desired target? 1
22:56:22,993 DEBUG BasicResourcePool:195 - awaitAvailable(): [unknown]
22:56:23,568 DEBUG DataSourceUtils:327 - Returning JDBC Connection to DataSource
22:56:23,570 DEBUG JdbcTemplate:693 - Executing prepared SQL query
22:56:23,570 DEBUG JdbcTemplate:627 - Executing prepared SQL statement [select username,authority from authorities where username = ?]
22:56:23,571 DEBUG DataSourceUtils:110 - Fetching JDBC Connection from DataSource
22:56:23,573 DEBUG DataSourceUtils:327 - Returning JDBC Connection to DataSource
22:56:23,578 DEBUG DefaultListableBeanFactory:248 - Returning cached instance of singleton bean 'sqlSessionFactory'
22:56:23,578 DEBUG CompositeSessionAuthenticationStrategy:86 - Delegating to org.springframework.security.web.csrf.CsrfAuthenticationStrategy@70540f7b
22:56:23,580 DEBUG CompositeSessionAuthenticationStrategy:86 - Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy@51ae01da
22:56:23,581 DEBUG DefaultListableBeanFactory:248 - Returning cached instance of singleton bean 'sqlSessionFactory'
22:56:23,582 DEBUG UsernamePasswordAuthenticationFilter:317 - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fec65191: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 1bf4hxwrtqrdvs3dedd70rh8o; Granted Authorities: ROLE_ADMIN, ROLE_USER
22:56:23,582 DEBUG PersistentTokenBasedRememberMeServices:147 - Creating new persistent login for user admin
22:56:23,586 DEBUG JdbcTemplate:908 - Executing prepared SQL update
22:56:23,586 DEBUG JdbcTemplate:627 - Executing prepared SQL statement [insert into persistent_logins (username, series, token, last_used) values(?,?,?,?)]
22:56:23,587 DEBUG DataSourceUtils:110 - Fetching JDBC Connection from DataSource
22:56:23,593 DEBUG JdbcTemplate:918 - SQL update affected 1 rows
22:56:23,594 DEBUG DataSourceUtils:327 - Returning JDBC Connection to DataSource
22:56:23,594 DEBUG DefaultListableBeanFactory:248 - Returning cached instance of singleton bean 'sqlSessionFactory'
22:56:23,595 DEBUG SavedRequestAwareAuthenticationSuccessHandler:110 - Using default Url: /
22:56:23,595 DEBUG DefaultRedirectStrategy:39 - Redirecting to '/'
22:56:23,595 DEBUG HttpSessionSecurityContextRepository:362 - SecurityContext 'org.springframework.security.core.context.SecurityContextImpl@fec65191: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fec65191: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 1bf4hxwrtqrdvs3dedd70rh8o; Granted Authorities: ROLE_ADMIN, ROLE_USER' stored to HttpSession: 'org.eclipse.jetty.server.session.HashedSession:m2b22n17auwqwwbhl5t9veiw@1206903733
22:56:23,596 DEBUG SecurityContextPersistenceFilter:105 - SecurityContextHolder now cleared, as request processing completed
22:56:23,598 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/'; against '/resources/**'
22:56:23,599 DEBUG FilterChainProxy:324 - / at position 1 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
22:56:23,599 DEBUG HttpSessionSecurityContextRepository:192 - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@fec65191: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fec65191: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 1bf4hxwrtqrdvs3dedd70rh8o; Granted Authorities: ROLE_ADMIN, ROLE_USER'
22:56:23,599 DEBUG FilterChainProxy:324 - / at position 2 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
22:56:23,600 DEBUG FilterChainProxy:324 - / at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
22:56:23,600 DEBUG HstsHeaderWriter:128 - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@1945827
22:56:23,600 DEBUG FilterChainProxy:324 - / at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter'
22:56:23,600 DEBUG FilterChainProxy:324 - / at position 5 of 15 in additional filter chain; firing Filter: 'LogoutFilter'
22:56:23,600 DEBUG AntPathRequestMatcher:131 - Request 'GET /' doesn't match 'POST /logout
22:56:23,601 DEBUG FilterChainProxy:324 - / at position 6 of 15 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
22:56:23,601 DEBUG AntPathRequestMatcher:131 - Request 'GET /' doesn't match 'POST /login
22:56:23,601 DEBUG FilterChainProxy:324 - / at position 7 of 15 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
22:56:23,601 DEBUG FilterChainProxy:324 - / at position 8 of 15 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
22:56:23,601 DEBUG FilterChainProxy:324 - / at position 9 of 15 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
22:56:23,601 DEBUG FilterChainProxy:324 - / at position 10 of 15 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
22:56:23,602 DEBUG RememberMeAuthenticationFilter:153 - SecurityContextHolder not populated with remember-me token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fec65191: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 1bf4hxwrtqrdvs3dedd70rh8o; Granted Authorities: ROLE_ADMIN, ROLE_USER'
22:56:23,602 DEBUG FilterChainProxy:324 - / at position 11 of 15 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
22:56:23,602 DEBUG AnonymousAuthenticationFilter:106 - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fec65191: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 1bf4hxwrtqrdvs3dedd70rh8o; Granted Authorities: ROLE_ADMIN, ROLE_USER'
22:56:23,602 DEBUG FilterChainProxy:324 - / at position 12 of 15 in additional filter chain; firing Filter: 'SessionManagementFilter'
22:56:23,602 DEBUG FilterChainProxy:324 - / at position 13 of 15 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
22:56:23,602 DEBUG FilterChainProxy:324 - / at position 14 of 15 in additional filter chain; firing Filter: 'IPRoleAuthenticationFilter'
22:56:23,603 DEBUG FilterChainProxy:324 - / at position 15 of 15 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
22:56:23,603 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/'; against '/login'
22:56:23,603 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/'; against '/about'
22:56:23,603 DEBUG FilterSecurityInterceptor:218 - Secure object: FilterInvocation: URL: /; Attributes: [hasRole('ROLE_USER')]
22:56:23,603 DEBUG FilterSecurityInterceptor:347 - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fec65191: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 1bf4hxwrtqrdvs3dedd70rh8o; Granted Authorities: ROLE_ADMIN, ROLE_USER
22:56:23,608 DEBUG AffirmativeBased:65 - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@71ed560f, returned: 1
22:56:23,608 DEBUG FilterSecurityInterceptor:242 - Authorization successful
22:56:23,608 DEBUG FilterSecurityInterceptor:255 - RunAsManager did not change Authentication object
22:56:23,609 DEBUG FilterChainProxy:309 - / reached end of additional filter chain; proceeding with original chain
22:56:23,609 DEBUG DispatcherServlet:861 - DispatcherServlet with name 'springmvc' processing GET request for [/]
22:56:23,609 DEBUG RequestMappingHandlerMapping:294 - Looking up handler method for path /
22:56:23,610 DEBUG RequestMappingHandlerMapping:299 - Returning handler method [public java.lang.String com.bay1ts.controller.BaseController.index()]
22:56:23,610 DEBUG DefaultListableBeanFactory:248 - Returning cached instance of singleton bean 'baseController'
22:56:23,611 DEBUG DispatcherServlet:947 - Last-Modified value for [/] is: -1
22:56:23,612 DEBUG DefaultListableBeanFactory:1616 - Invoking afterPropertiesSet() on bean with name 'index'
22:56:23,612 DEBUG DispatcherServlet:1241 - Rendering view [org.springframework.web.servlet.view.JstlView: name 'index'; URL [/WEB-INF/jsps/index.jsp]] in DispatcherServlet with name 'springmvc'
22:56:23,612 DEBUG DefaultListableBeanFactory:248 - Returning cached instance of singleton bean 'requestDataValueProcessor'
22:56:23,613 DEBUG JstlView:166 - Forwarding to resource [/WEB-INF/jsps/index.jsp] in InternalResourceView 'index'
22:56:23,764 DEBUG DispatcherServlet:996 - Successfully completed request
22:56:23,764 DEBUG ExceptionTranslationFilter:116 - Chain processed normally
22:56:23,765 DEBUG SecurityContextPersistenceFilter:105 - SecurityContextHolder now cleared, as request processing completed
 

这是去stackoverflow提问后明确出来的结论,原文:

http://stackoverflow.com/questions/33371389/spring-security4-login-doesnt-pass-through-any-filter

答题的人还指明了一些配置文件中的错误或者冗余信息。例如:

对url pattern的拦截顺序,pattern="/**"要放在最后拦截,因为他会匹配任何一个请求,并将对应的访问权限设置为其权限。比如

    <intercept-url pattern="/login" access="permitAll" />
    <intercept-url pattern="/about" access="permitAll" />
    <intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
    <intercept-url pattern="/user/*" access="hasRole('ROLE_USER')" />
    <intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN')"/>
当访问/admin/时,会匹配上/**,并检查其权限是否有USER权限,而并不需要ADMIN权限。从而屏蔽掉后面的模式。所以要将其配置在最后一个。另外在spring security 4+ 中,并不需要给权限加上ROLE_前缀。所以,修正后的配置文件应该像: 

 <intercept-url pattern="/resources/**" access="permitAll" />
    <intercept-url pattern="/login" access="permitAll" />
    <intercept-url pattern="/about" access="permitAll" />
    <intercept-url pattern="/user/*" access="hasRole('USER')" />
    <intercept-url pattern="/admin/*" access="hasRole('ADMIN')"/>
    <intercept-url pattern="/**" access="hasRole('USER')" />
省略了ROLE_前缀。

但是,省略前缀只能在配置文件中省略,在基于数据库的权限模型中,权限表中的值必须不能省略ROLE_前缀,否则会禁止访问!!这是血的教训,也可能是我其他的配置导致跟正常情况不同,但我更倾向于前者。


另外, /user/* 可以匹配上/user/12 但是不可以匹配上 /user/profile/12,所以,如果需要这种形式的url,需要将pattern更新 为/user/**。


新手,如有纰漏,请不吝指出。


Chenctrl
关注
  • 0
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
Not injecting HSTS header since it did not match the requestMatcher HSTS设置问题解决
了迹奇有没
08-26 6541
HSTS请求设置 错误描述:在使用文件上传功能时,form表单提交带有header数据的请求时遇到这个问题,报错如下: Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@79cc14a4 [DEBUG] 2021-08-26 14:04:27.3
Spring Securitysecurity none, filters none, access permitAll
weixin_30699741的博客
05-20 419
1.概述 Spring Security提供了几种将请求模式配置为不安全或允许所有访问的机制。取决于这些机制中的哪一种 - 这可能意味着根本不在该路径上运行安全过滤器链,或者运行过滤器链并允许访问 2. access=”permitAll” 使用access =“permitAll”设置元素将配置授权,以便在该特定路径上允许所有请求: <intercept-url pattern="/log...
Reject: HTTP ‘DELETE‘ is not allowed, Not injecting HSTS.....DELETE请求PUT请求跨域问题
了迹奇有没
08-26 793
CORS(DELETE请求、PUT请求) Reject: HTTP 'DELETE' is not allowed [DEBUG] 2021-08-25 15:23:52.401 [http-nio-10010-exec-1] HstsHeaderWriter.writeHeaders(169) - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.head
spring security 一个验证码登录例子
珍惜
04-03 652
看完shiro,在看spring security感觉快了很多,最开始看spring security的时候,非常晕,看完我觉得spring security做了太多事,以至于程序员都不知道,是怎么实现的,这样的后果就是 当出现错误,或者需要修改的时候感觉无从下手。个人理解,若有错误,请指正。spring security跟shiro类似,都是使用过滤器来认证和授权,不同的是spring seci...
Spring Security出现问题:Access is denied 及我的解决方案
热门推荐
txd2016_5_11的博客
01-24 6万+
近日使用spring security,xml文件如下: ...... <!-- 页面拦截规则 --> <http pattern="/shoplogin.html" security="none"></http> <http pattern="/loginerror.html" security="none"></http> ...
spring security自定义登录页面
08-29
Spring Security自定义登录页面 在 Spring Security 框架中,默认的登录页面并不是很友好,特别是在实际项目中,我们通常需要使用自己的登录页面来满足业务需求。今天,我们将讨论如何自定义 Spring Security 的...
spring-security3入门教程.doc
最新发布
09-04
Spring Security 是一个强大的且高度可定制的身份验证和访问控制框架,用于保护基于 Java 的应用程序。在 Spring Security 3.x 版本中,它引入了许多改进和新特性,使得安全控制更加灵活和易于配置。以下是一份针对 ...
Spring Security简易配置指南
08-04
4. **定义用户权限和认证**:在Spring Security配置中,你需要定义用户、角色和权限。这通常通过`<authentication-manager>`和`<user-service>`元素完成,或者通过连接到数据库的自定义提供者。 ```xml ...
security.rar
10-08
Spring Security RBAC 1.0(参考自...)
Spring_Security_3.x 搭建教程.
05-14
Spring Security 3.x 搭建教程】 Spring Security 是一个强大的且高度可定制的身份验证和访问控制框架,用于保护基于 Java 的 Web 应用程序。在本教程中,我们将探讨如何逐步搭建 Spring Security 3.x 环境,特别...
Spring security搭建与使用
zpgrzy的博客
11-23 586
Spring security权限管理 意义: Spring security是一个为基于Spring的应用系统提供一个声明式的访问控制的安全框架, 提供了一组在Spring应用上下文中配置的Bean,利用IOC,DI,AOP等功能, 减少了为企业应用系统安全控制编写大量重复代码的工作   原理: Spring security 使用的是 servlet 规范中标准的过滤器
(二)spring.mvc spring security3
dezxz26426的专栏
05-24 138
1<http pattern="/static/css/**" security="none" /> 用来配置不需要ss拦截的url 2 <http use-expressions="true" entry-point-ref="authenticationProcessingFilterEntryPoint"access-denied-page="/...
Spring Security3.1登陆验证
lvdong5830的专栏
01-14 143
Spring Security3.1登陆验证 分类: spring2011-05-21 20:40 2401人阅读 评论(8) 收藏 举报 一、前言       在上一篇http://blog.csdn.net/k10509806/archive/2011/04/28/6369131.aspx文章中,提到的MyUserDetailServiceImpl获取用户权限,在用...
spring security 11种过滤器介绍
我们不生产任何代码 只做代码的搬运工
12-29 5448
1.HttpSessionContextIntegrationFilter     位于过滤器顶端,第一个起作用的过滤器。   用途一,在执行其他过滤器之前,率先判断用户的session中是否已经存在一个SecurityContext了。如果存在,就把SecurityContext拿出来,放到SecurityContextHolder中,供Spring Securi
spring security-config.xml
andZuo的博客
05-04 599
--> --> login-processing-url="/signon" authentication-success-handler-ref="myAuthenticationSuccessHandler" authentication-failure-url="/"/> logout-url="/signoff" logout-success-url="/"/
spring securitysecurity="none"与ROLE_ANONYMOUS区别
weixin_33898876的博客
06-10 1978
为什么80%的码农都做不了架构师?>>> ...
Spring Security权限框架的简易入门
Tiger_Paul的博客
04-13 388
Spring SecuritySpring提供的安全认证服务的框架。 使用Spring Security可以帮助我们来简化认证和授权的过程。
java config配置404页面_使用Spring 4注释的java – 404错误页面配置
weixin_31787977的博客
02-24 567
我有一个Spring 4的Spring MVC项目.我的服务器是tomcat 7.我正在尝试制作一个404页面,我尝试了很多东西,但我做不到.我错过了什么?这是WebAppContext:@Configuration@ComponentScan(basePackages = {"com.***"})@EnableWebMvcpublic class WebAppContext extends We...
SSH项目中遇到的不细心错误!
H'Sunshine 。
11-19 836
最近学到三大框架的整合,在做项目中遇到一个因为自己不细心而引起的错误,害我排了将近一个小时可能因为自己还是刚刚接触吧,但是三大框架在整合中确实有很多摸不到头脑的问题,今天就遇到在一个部门管理页面添部门时,我并没有在代码里面做回显反而在页面输入框中显示了我的信息,原来Action在spring中依赖注入没有设置为多例而导致  <bean id="departmentAction" class="c
spring security 接收用户名NONE_PROVIDED
06-03
当用户在登录时没有提供任何用户名时,Spring Security 会将用户名设置为“NONE_PROVIDED”,以表示该用户没有提供任何有效的用户名。这通常会触发一个异常,因为用户名不能为空。 为了避免这种情况,你可以在登录页面上添加必填项验证,确保用户必须输入一个有效的用户名。另外,你还可以在 Spring Security 的配置文件中设置一个默认的用户名,以防止出现“NONE_PROVIDED”的情况。具体来说,你可以使用`org.springframework.security.authentication.AuthenticationServiceException`异常来处理这种情况,例如: ```java @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { if (StringUtils.isBlank(username) || "NONE_PROVIDED".equals(username)) { throw new AuthenticationServiceException("用户名不能为空"); } // TODO: 根据用户名加载用户信息 } ``` 这里使用了`StringUtils.isBlank()`方法来判断用户名是否为空,如果为空或为“NONE_PROVIDED”,则抛出一个`AuthenticationServiceException`异常。你也可以根据具体情况自定义异常类型。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值