成功登录后意外重定向到登录页面 [英] Unexpected redirect to login page after successful login

问题描述

我正在使用Spring来处理我的JSF应用程序中的安全性.我在/login处有一个登录页面，并且我已经像这样配置Spring:

I'm using Spring to handle security in my JSF application. I have a login page at /login and I've configured Spring like this:

<http authentication-manager-ref="authenticationManager">
    <intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <intercept-url pattern="/admin" access="ROLE_ADMIN" />
    <intercept-url pattern="/javax.faces.resource/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <intercept-url pattern="/**" access="ROLE_ADMIN,ROLE_USER" />
    <form-login login-page="/login" authentication-failure-url="/login" />
    <logout logout-url="/logout" />
</http>

我希望/admin上的管理页面仅对具有ROLE_ADMIN角色的用户可用.具有ROLE_ADMIN或ROLE_USER的用户可以从应用程序根目录开始访问页面.

I want the admin page at /admin to be available only for users with the ROLE_ADMIN role. Users with ROLE_ADMIN or ROLE_USER may access pages starting from the application root.

当我以具有任一角色的用户身份登录时，我会看到登录后应该看到的页面.但是，无论我下一步做什么，我都将被重定向到/login，就像我没有登录一样.有人在解释我正在尝试将其工作一天的原因，请解释一下.我一直在阅读Spring 3.1.x文档，但并没有为我提供有关如何解决问题的线索.我正在运行Spring 3.1.1.Release.

When I login with a user having either role I see the page you should see after login. However, whatever my next action may be I get redirected to /login like I'm not logged in. Can someone please explain this as I'm trying to get this thing to work for a day now. I've been reading the Spring 3.1.x documentation but it doesn't give me a clue about how to solve the problem. I'm running Spring 3.1.1.Release by the way.

额外奖励信息:登录后您应该看到的页面具有仅当用户具有ROLE_ADIN时才呈现的元素.登录后可以看到该元素.问题始于我实施PrettyFaces时.我在网上搜索了常见问题，但只想出了PrettyFaces过滤器应该出现在Spring安全过滤器之后.是这种情况，因此应该可以正常工作吗?

Extra bonus info: the page you should see after login has an element that should only render if the user had ROLE_ADIN. I can see that element after login. The problems began when I implemented PrettyFaces. I've searched the web for common problems and only came up with that the PrettyFaces filter should appear after the Spring security filter. This is the case so it should work right?

更新:我已经更新了配置以使用表达式.但是问题仍然存在.

UPDATE: I've updated my config to use expressions. However the problem still exists.

<http authentication-manager-ref="authenticationManager" use-expressions="true">
    <intercept-url pattern="/login" access="permitAll" />
    <intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')" />
    <intercept-url pattern="/javax.faces.resource/**" access="permitAll" />
    <intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')" />
    <form-login login-page="/login" authentication-failure-url="/login" />
    <logout logout-url="/logout" />
</http>

登录后立即在Firebug控制台中输出(该页面尝试AJAX调用):

Output in Firebug's console just after login (the page tries an AJAX call):

推荐答案

首先，请务必在遇到问题时调试Spring Security(添加log4j.logger.org.springframework.security=DEBUG).

First, always debug Spring Security when having problems (add log4j.logger.org.springframework.security=DEBUG).

第二，我认为您想要 hasAnyRole :

Second, I think that you wanted hasAnyRole:

<intercept-url pattern="/**" access="hasAnyRole(ROLE_ADMIN,ROLE_USER)" />

加上use-expressions="true"到http:

<http authentication-manager-ref="authenticationManager" use-expressions="true">

允许ROLE_ADMIN xor ROLE_USER用户访问页面.在您当前的配置中，用户必须同时具有两个角色才能访问/**.

to allow ROLE_ADMIN xor ROLE_USER users to access page. In your current config user must have both roles to access /**.

这篇关于成功登录后意外重定向到登录页面的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！