Spring Security 4.2.2 一些注意事项

最新推荐文章于 2024-05-22 16:49:19 发布

叽叽咕咕嘻嘻啦啦

最新推荐文章于 2024-05-22 16:49:19 发布

阅读量7.4k

点赞数 10

本文链接：https://blog.csdn.net/zhanghaoxutao/article/details/60469922

版权

java相关专栏收录该内容

5 篇文章 0 订阅

订阅专栏

1.配置文件中的http标签变为security:http

2.security:http上的属性use-expressions="false",如果未这么声明,那么在子节点中security:intercept-url的access中直接使用角色名,则会报错
Field or property 'ROLE_USER' cannot be found on object of type 'org.springframework.security.web.access.expression.WebSecurityExpressionRoot

需要使用hasRole来包裹角色名.加上这个属性就可以直接写角色名了.

官方文档:

use-expressions Spring Security will then expect the access attributes of the <intercept-url> elements to contain Spring EL expressions. The expressions should evaluate to a Boolean, defining whether access should be allowed or not

所以,如果不写这个,默认use-expressions="true",那么允许匿名登陆,直接写access="true"就可以了,如果写IS_AUTHENTICATED_ANONYMOUSLY,肯定出问题咯.

3.如果在2中未正确配置登录页面,为匿名可登录.会导致页面出错,显示:多重重定向,同时控制台会有警告

警告: Anonymous access to the login page doesn't appear to be enabled. This is almost certainly an error. Please check your configuration allows unauthenticated access to the configured login page. (Simulated access was rejected: org.springframework.security.access.AccessDeniedException: Access is denied)

4.可能会出现,使用正确的用户名密码登陆后出现
Could not verify the provided CSRF token because your CSRF session was not found

这是因为spring security为了防止跨站请求做的.如果需要关闭那么在security:http下添加一个子标签<security:csrf disabled="true" />

或者保持配置不变在登录的表单中添加验证信息

<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>

一个梨子:

 <security:http auto-config="true" use-expressions="false">
              <!-- 表示匿名用户可以访问-->
              <security:intercept-url pattern="/go/logon" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
              <security:intercept-url pattern="/admin/*" access="ROLE_ADMIN"/>
              <security:intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN"/>
              <security:form-login login-page="/go/logon"
                                   login-processing-url="/login" username-parameter="username"
                                   password-parameter="password" />
              <security:csrf disabled="true" />
</security:http>

另一个梨子:

<security:http auto-config="true">
              <security:intercept-url pattern="/go/logon" access="true"/>
              <security:intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN')"/>
              <security:intercept-url pattern="/**" access="hasRole('ROLE_USER') or hasRole('ROLE_ADMIN')"/>
              <security:form-login login-page="/go/logon"
                                   login-processing-url="/login" username-parameter="username"
                                   password-parameter="password" />
              <security:csrf disabled="true" />
       </security:http>

默认开启这个功能后在,我们使用退出登录配置的时又出现问题.

<security:logout logout-url="/logout" />

如果在登录后通过/logout去退出登录,出问题了,404.找不到页面.放一下文档

http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#csrf-logout
我们需要通过POST方式才能退出登录咯.

点击退出时,用一个ajax去请求/logout,同时带上csrf的值就可以了,否则会403.

function logout(){
        var val = $("#logoutParam").val();
        var name = $("#logoutParam").attr("name");
        var csrfData = {};
        csrfData[name] = val;
        $.ajax("/logout", {
            type:"POST",
            data:csrfData,
            success: function (data) {
                if(data.success){
                    goIndex();
                }
            },
            error:function () {
                alert1("退出失败");
            }
        });
    }

5.使用Spring提供的用户数据库验证时.那些sql语句,需要改改.MySQL的如下(注意一下顺序就可以了,有一些外键)

DROP TABLE IF EXISTS `users`;
CREATE TABLE  `users` (
  `username` varchar(50) NOT NULL,
  `password` varchar(50) NOT NULL,
  `enabled` tinyint(1) NOT NULL,
  PRIMARY KEY (`username`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

DROP TABLE IF EXISTS `groups`;
CREATE TABLE  `groups` (
  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
  `group_name` varchar(45) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=utf8;

DROP TABLE IF EXISTS `blog`.`group_members`;
CREATE TABLE  `blog`.`group_members` (
  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
  `username` varchar(50) NOT NULL,
  `group_id` int(10) unsigned NOT NULL,
  PRIMARY KEY (`id`),
  KEY `fk_group_members_group` (`group_id`),
  CONSTRAINT `fk_group_members_group` FOREIGN KEY (`group_id`) REFERENCES `groups` (`id`) ON DELETE NO ACTION ON UPDATE NO ACTION
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

DROP TABLE IF EXISTS `blog`.`group_authorities`;
CREATE TABLE  `blog`.`group_authorities` (
  `group_id` int(10) unsigned NOT NULL,
  `authority` varchar(50) NOT NULL,
  PRIMARY KEY (`group_id`),
  CONSTRAINT `fk_group_authorities_group` FOREIGN KEY (`group_id`) REFERENCES `groups` (`id`) ON DELETE NO ACTION ON UPDATE NO ACTION
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

DROP TABLE IF EXISTS `authorities`;
CREATE TABLE  `authorities` (
  `username` varchar(50) NOT NULL,
  `authority` varchar(50) NOT NULL,
  KEY `ix_auth_username` (`username`,`authority`),
  CONSTRAINT `fk_authorities_users` FOREIGN KEY (`username`) REFERENCES `users` (`username`) ON DELETE NO ACTION ON UPDATE NO ACTION
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

叽叽咕咕嘻嘻啦啦

关注

10
点赞
踩
10

收藏

觉得还不错? 一键收藏
0
评论
Spring Security 4.2.2 一些注意事项

1.配置文件中的http标签变为security:http2.security:http上的属性use-expressions="false",如果未这么声明,那么在子节点中security:intercept-url的access中直接使用角色名,则会报错Field or property 'ROLE_USER' cannot be found on object of type
复制链接

扫一扫