Spring security login-processing-url抛出405请求方法POST不支持 [英] Spring security login-processing-url throws 405 request method POST not supported

问题描述

我在 spring 3.2.0 项目中使用 spring security 3.1.3.我使用 spring security 为我的安全配置了两个入口点.这个想法是有一个像/enterprise_login 这样的网址，企业用户应该在其中登录，而其他像/login 这样的网址，普通用户可以在其中进行登录操作.在我的安全配置中，我有下一个代码

i'm working with spring security 3.1.3 in a spring 3.2.0 project. I've configured two entry points for my security using spring security. The idea is to have a url like /enterprise_login where enterprise users should log in and other url like /login where normal users do their log in action. In my security configuration i've the next code

<security:global-method-security jsr250-annotations="enabled" pre-post-annotations="enabled" secured-annotations="enabled" />

<security:http pattern="/enterprise/**" auto-config="false" use-expressions="true" authentication-manager-ref="autenticationManagerUserEnterprise">
    <security:intercept-url pattern="/enterprise/**" access="hasRole('ROLE_ENTERPRISE')" />
    <security:intercept-url pattern="/enterprise_login" access="isAnonymous()" />
    <security:form-login login-page="/enterprise_login" default-target-url="/" authentication-failure-url="/empresas_login_error" login-processing-url="/enterprise_login_process" />
    <security:logout logout-success-url="/" delete-cookies="JSESSIONID"/>
    <security:remember-me user-service-ref="enterpriseAuthenticationProvider"/>
    <security:session-management invalid-session-url="/">
        <security:concurrency-control max-sessions="2" error-if-maximum-exceeded="true" />
    </security:session-management>
</security:http>

<security:http pattern="/**" auto-config="false" use-expressions="true" authentication-manager-ref="autenticationManagerUser">
    <security:intercept-url pattern="/**" access="permitAll" />
    <security:form-login login-page="/login" default-target-url="/" authentication-failure-url="/login_error" />
    <security:logout logout-success-url="/" delete-cookies="JSESSIONID"/>
    <security:remember-me user-service-ref="UserAuthenticationProvider"/>
    <security:session-management invalid-session-url="/">
        <security:concurrency-control max-sessions="2" error-if-maximum-exceeded="true" />
    </security:session-management>
</security:http>

<security:authentication-manager id="autenticationManagerUserEnterprise">
    <security:authentication-provider user-service-ref="enterpriseAuthenticationProvider">
        <security:password-encoder hash="plaintext"></security:password-encoder>
    </security:authentication-provider>
</security:authentication-manager>

<security:authentication-manager id="autenticationManagerUser">
    <security:authentication-provider user-service-ref="UserAuthenticationProvider">
        <security:password-encoder hash="plaintext"></security:password-encoder>
    </security:authentication-provider>
</security:authentication-manager>

<bean id="enterpriseAuthenticationProvider" class="com.test.security.enterpriseAuthenticationProvider"></bean>
<bean id="UserAuthenticationProvider" class="com.test.security.UserDetailsServiceImp"></bean>

然后，当我转到/enterprise_login 表单并提交登录数据时，我在 url/enterprise_login_process(该 url 配置为充当登录处理-url.我不知道问题出在哪里，非常感谢任何帮助.

Then when I go to /enterprise_login form and submit the login data I get a "HTTP 405 - Request method 'POST' not supported" throwed by tomcat in the url /enterprise_login_process (the url configured to act as login-processing-url. I can't figure out where the problem is, any help is really appreciated.

PD:我的 web.xml 看起来像:

PD: My web.xml looks like:

<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
        http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

<display-name>AT-2</display-name>

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/spring-config.xml
    </param-value>
</context-param>

<context-param>
    <param-name>webAppRootKey</param-name>
    <param-value>tutorial.root</param-value>
</context-param>

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<listener>
    <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<servlet>
    <servlet-name>mvc-dispatcher</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/spring-config.xml</param-value>
    </init-param>
    <load-on-startup>0</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>mvc-dispatcher</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

<welcome-file-list>
    <welcome-file>index.jsp</welcome-file>
</welcome-file-list>

推荐答案

问题是第一个配置目前只匹配以/enterprise/"开头的 URL，并且处理身份验证的 URL 被配置为/enterprise_login_process".这意味着向/enterprise_login_process"提交 POST 将提交到不尝试对/enterprise_login_process"进行身份验证的第二个配置.

The issue is that the first configuration currently only matches on URLs that start with "/enterprise/" and the URL to process authentication is configured as "/enterprise_login_process". This means that submitting a POST to "/enterprise_login_process" will submit to the second configuration which is not trying to authenticate "/enterprise_login_process".

要解决此问题，您需要确保 http@pattern 和 login-processing-url 对齐.例如:

To fix this you need to ensure the http@pattern and the login-processing-url are aligned. For example:

<security:http pattern="/enterprise/**" 
      auto-config="false" 
      use-expressions="true" 
      authentication-manager-ref="autenticationManagerUserEnterprise">
    <security:intercept-url pattern="/enterprise/login" 
          access="isAnonymous()" />
    <security:intercept-url pattern="/**" 
          access="hasRole('ROLE_ENTERPRISE')" />
    <security:form-login login-page="/enterprise/login" 
          default-target-url="/" 
          authentication-failure-url="/enterprise/login?error" 
          login-processing-url="/enterprise/login_process" />
    <security:logout logout-success-url="/" 
          delete-cookies="JSESSIONID"/>
    <security:remember-me 
          user-service-ref="enterpriseAuthenticationProvider"/>
    <security:session-management invalid-session-url="/">
        <security:concurrency-control max-sessions="2" 
              error-if-maximum-exceeded="true" />
    </security:session-management>
</security:http>

您会发现我修改了代码以确保块中的所有 URL 都以/enterprise/"开头.这也意味着您需要确保您的企业登录表单更新为 POST 到/enterprise/login_process".

You will observe that I modified the code to ensure all URLs within the block start with "/enterprise/". This also means that you will need to ensure that your login form for enterprise is updated to POST to "/enterprise/login_process".

这篇关于Spring security login-processing-url抛出405请求方法POST不支持的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！