Spring Security 3.1.0 - 无法从HTTPS切换到HTTP [英] Spring Security 3.1.0 - Cannot switch from HTTPS to HTTP
问题描述
我是Spring Security的新手,所以我创建了一个小型的webapp,以便尝试并找到一个对我正在进行的项目有用的配置。
我强迫我的登录页面通过HTTPS访问,我需要在登录后切换回HTTP。换句话说:
I am new to Spring Security, so I made a small webapp in order to try it and find a configuration that will be useful for the project I am working on. I am forcing my login page to be accessed via HTTPS, and I need to switch back to HTTP after logging in. In other words:
- 登录页面:仅限HTTPS
- 其他页面:仅限HTTP
我试过有几种方法,但我不能像上面所说的那样使它工作。
我读过 Spring Security FAQ 我发现没有自然的方式做我想做的事,但我被要求这样做,因此我需要一个我自己找不到的解决方法。
I tried several ways but I cannot make it work as I said above. I read the Spring Security FAQ and I see that there is no "natural" way of doing what I want, but I have been asked to do so, hence I need a workaround which I cannot find by myself.
我正在使用Spring Security 3.1.0。
我的Web容器是Tomcat 6.0.33。
I am using Spring Security 3.1.0. My web container is Tomcat 6.0.33.
这是我的Spring Security配置:
This is my Spring Security configuration:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns:sec="http://www.springframework.org/schema/security"
xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<sec:http auto-config="true" use-expressions="true">
<sec:intercept-url pattern="/log*.htm" access="anonymous"
requires-channel="https" />
<sec:intercept-url pattern="/admin/**" access="hasRole('admin')"
requires-channel="http" />
<sec:intercept-url pattern="/**"
requires-channel="http" access="hasRole('authenticated')" />
<sec:form-login login-page="/login.htm"
default-target-url="/index.htm" authentication-failure-url="/login.htm?error=true"
always-use-default-target="true" />
<sec:logout logout-url="/logout.htm" delete-cookies="JSESSIONID" invalidate-session="true" />
<sec:anonymous/>
<sec:remember-me use-secure-cookie="true" />
</sec:http>
<sec:authentication-manager>
<sec:authentication-provider>
<sec:user-service>
<sec:user name="johnny" password="johnny" authorities="authenticated, admin" />
<sec:user name="charlie" password="charlie"
authorities="authenticated" />
</sec:user-service>
</sec:authentication-provider>
</sec:authentication-manager>
</beans>
任何帮助将不胜感激。
提前致谢!
Any help will be appreciated. Thanks in advance!
推荐答案
我发现此问题的解决方法是禁用Spring Security的默认会话固定保护。我不得不在我首次描述的XML配置中添加session-management元素。
The workaround I found for this problem is disabling Spring Security's default session fixation protection. I had to add a "session-management" element to the XML configuration I first described.
<sec:http auto-config="true">
<!-- ... -->
<sec:session-management session-fixation-protection="none"/>
<!-- ... -->
</sec:http>
除此之外,我们必须提供的应用程序URLURL不是登录名URL,但主页URL,例如不 http://myapp/login.htm 但是 http://myapp/index.htm 。这样做,如果用户已登录或有记住我的cookie,他们将能够毫无问题地进入并且浏览器继续使用HTTP协议。如果没有,则使用HTTPS将用户重定向到登录页面,并在成功登录后,浏览器正确切换回HTTP。请考虑到这一点,因为如果您直接写入(或单击)登录URL,将始终保持HTTPS。
In addition to this, the URL we have to provide as the "application URL" is not the login URL but the Home Page URL, e.g. NOT http://myapp/login.htm BUT http://myapp/index.htm. Doing so, if the user is logged in or has a remember-me cookie, they will be able to enter without problem and the browser keeps using HTTP protocol. If not, the user is redirected to the login page using HTTPS, and after a successful login the browser switches back to HTTP correctly. Please take this into account, because if you write (or click) the login URL directly, HTTPS will be maintained all the time.
这篇关于Spring Security 3.1.0 - 无法从HTTPS切换到HTTP的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
