Spring Servlet 和 Spring 安全过滤器链 Url 模式
Spring Servlet and Spring security filter chain Url Patterns
我在调试 spring 安全 j_spring_security_check 和 j_spring_security_logout 上的那些 404 消息时遇到了很多麻烦。我相信 SpringServlet Url-Pattern、springSecurityFilterChain Url-Pattern and/Or sitemesh.
之间可能存在一些冲突
这是我的 web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/applicationContext.xml</param-value>
</context-param>
<servlet>
<servlet-name>springServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/spring-servlet.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>springServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>sitemesh</filter-name>
<filter-class>org.sitemesh.config.ConfigurableSiteMeshFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>sitemesh</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
还有我的 ApplicationContext(包括 spring-security 部分):
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:tx="http://www.springframework.org/schema/tx" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-4.0.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.0.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<context:component-scan base-package="com.xpto.portal" />
<tx:annotation-driven transaction-manager="txManager" />
<mvc:annotation-driven />
<bean id="handlerMapping" class="org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping">
<property name="order" value="1" />
</bean>
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/" access="hasRole('ROLE_USER')" />
<security:intercept-url pattern="/logout" access="permitAll" />
<security:logout logout-url="/logout"/>
</security:http>
<!-- Declare an authentication-manager to use a custom userDetailsService -->
<security:authentication-manager>
<security:authentication-provider user-service-ref="userDetailsService">
<security:password-encoder ref="passwordEncoder" />
</security:authentication-provider>
</security:authentication-manager>
<bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder" />
<security:user-service id="userDetailsService">
<security:user name="john" password="21232f297a57a5a743894a0e4a801fc3" authorities="ROLE_USER, ROLE_ADMIN" />
<security:user name="jane" password="ee11cbb19052e40b07aac0ca060c23ee" authorities="ROLE_USER" />
</security:user-service>
<bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
<property name="basename" value="classpath:messages">
</property>
<property name="defaultEncoding" value="UTF-8">
</property>
</bean>
<bean id="localeChangeInterceptor" class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<property name="paramName" value="lang">
</property>
</bean>
<bean id="localeResolver" class="org.springframework.web.servlet.i18n.CookieLocaleResolver">
<property name="defaultLocale" value="pt">
</property>
</bean>
</beans>
还有一个基本的主页控制器,returns 带有 sitemesh 的视图:
@Controller
@RequestMapping(value = "/")
public class HomeController {
@RequestMapping(method=RequestMethod.GET)
public String index()
{
return "home/index";
}
}
这适用于登录。如果我访问 localhost/portal,我将被重定向到 spring 的默认登录页面,然后我将被重定向到“/”。问题是这里 URL:
<a href="<c:url value="/logout" />">Logout</a>
生成 404 和此错误:
17:06:43,657 WARN [org.springframework.web.servlet.PageNotFound](默认任务 27)在名称为 'springServlet'[= 的 DispatcherServlet 中找不到带有 URI [/Portal/logout] 的 HTTP 请求的映射17=]
无论我是否更改注销-url,这都是一样的。
我怀疑过滤器和 spring servlet 之间有些不兼容,但我不知所措。
你能帮忙吗?
我正在使用 spring-security 4.0.1
谢谢!
更改注销。
像这样。
<a href='<c:url value="/j_spring_security_logout" />'>
我只需要使用一个表单来执行注销。像这样:
<c:url var="logoutUrl" value="/logout"/>
<form action="${logoutUrl}" method="post">
<input type="submit" value="Log out" />
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
这是因为 spring-security 的 CSRF 是默认启用的,注销必须通过 POST 使用 CSRF 令牌执行。
我在调试 spring 安全 j_spring_security_check 和 j_spring_security_logout 上的那些 404 消息时遇到了很多麻烦。我相信 SpringServlet Url-Pattern、springSecurityFilterChain Url-Pattern and/Or sitemesh.
之间可能存在一些冲突这是我的 web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/applicationContext.xml</param-value>
</context-param>
<servlet>
<servlet-name>springServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/spring-servlet.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>springServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>sitemesh</filter-name>
<filter-class>org.sitemesh.config.ConfigurableSiteMeshFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>sitemesh</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
还有我的 ApplicationContext(包括 spring-security 部分):
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:tx="http://www.springframework.org/schema/tx" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-4.0.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.0.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<context:component-scan base-package="com.xpto.portal" />
<tx:annotation-driven transaction-manager="txManager" />
<mvc:annotation-driven />
<bean id="handlerMapping" class="org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping">
<property name="order" value="1" />
</bean>
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/" access="hasRole('ROLE_USER')" />
<security:intercept-url pattern="/logout" access="permitAll" />
<security:logout logout-url="/logout"/>
</security:http>
<!-- Declare an authentication-manager to use a custom userDetailsService -->
<security:authentication-manager>
<security:authentication-provider user-service-ref="userDetailsService">
<security:password-encoder ref="passwordEncoder" />
</security:authentication-provider>
</security:authentication-manager>
<bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder" />
<security:user-service id="userDetailsService">
<security:user name="john" password="21232f297a57a5a743894a0e4a801fc3" authorities="ROLE_USER, ROLE_ADMIN" />
<security:user name="jane" password="ee11cbb19052e40b07aac0ca060c23ee" authorities="ROLE_USER" />
</security:user-service>
<bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
<property name="basename" value="classpath:messages">
</property>
<property name="defaultEncoding" value="UTF-8">
</property>
</bean>
<bean id="localeChangeInterceptor" class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<property name="paramName" value="lang">
</property>
</bean>
<bean id="localeResolver" class="org.springframework.web.servlet.i18n.CookieLocaleResolver">
<property name="defaultLocale" value="pt">
</property>
</bean>
</beans>
还有一个基本的主页控制器,returns 带有 sitemesh 的视图:
@Controller
@RequestMapping(value = "/")
public class HomeController {
@RequestMapping(method=RequestMethod.GET)
public String index()
{
return "home/index";
}
}
这适用于登录。如果我访问 localhost/portal,我将被重定向到 spring 的默认登录页面,然后我将被重定向到“/”。问题是这里 URL:
<a href="<c:url value="/logout" />">Logout</a>
生成 404 和此错误:
17:06:43,657 WARN [org.springframework.web.servlet.PageNotFound](默认任务 27)在名称为 'springServlet'[= 的 DispatcherServlet 中找不到带有 URI [/Portal/logout] 的 HTTP 请求的映射17=]
无论我是否更改注销-url,这都是一样的。
我怀疑过滤器和 spring servlet 之间有些不兼容,但我不知所措。
你能帮忙吗?
我正在使用 spring-security 4.0.1
谢谢!
更改注销。 像这样。
<a href='<c:url value="/j_spring_security_logout" />'>
我只需要使用一个表单来执行注销。像这样:
<c:url var="logoutUrl" value="/logout"/>
<form action="${logoutUrl}" method="post">
<input type="submit" value="Log out" />
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
这是因为 spring-security 的 CSRF 是默认启用的,注销必须通过 POST 使用 CSRF 令牌执行。