使用Spring Security的无限循环-即使登录页面应允许匿名访问也受到保护 [英] Infinite loop using Spring Security - Login page is protected even though it should allow anonymous access

问题描述

我有一个具有以下设置的Spring应用程序(Spring版本 2.5.6.SEC01 ，Spring Security版本 2.0.5 ):

I have a Spring application (Spring version 2.5.6.SEC01, Spring Security version 2.0.5) with the following setup:

web.xml

<welcome-file-list>
  <welcome-file>
    index.jsp
  </welcome-file>
</welcome-file-list>

index.jsp 页面位于WebContent目录中，并且仅包含重定向:

The index.jsp page is in the WebContent directory and simply contains a redirect:

<c:redirect url="/login.htm"/>

在 appname-servlet.xml 中，有一个视图解析器指向WEB-INF/jsp

In the appname-servlet.xml, there is a view resolver to point to the jsp pages in WEB-INF/jsp

<bean id="viewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">
  <property name="viewClass" value="org.springframework.web.servlet.view.JstlView" />
  <property name="prefix" value="/WEB-INF/jsp/" />
  <property name="suffix" value=".jsp" />
</bean>

在 security-config.xml 文件中，我具有以下配置:

In the security-config.xml file, I have the following configuration:

<http>
  <!-- Restrict URLs based on role -->
  <intercept-url pattern="/WEB-INF/jsp/login.jsp*" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/WEB-INF/jsp/header.jsp*" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/WEB-INF/jsp/footer.jsp*" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/login*" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/index.jsp" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/logoutSuccess*" access="ROLE_ANONYMOUS" />

  <intercept-url pattern="/css/**" filters="none" />
  <intercept-url pattern="/images/**" filters="none" />
  <intercept-url pattern="/**" access="ROLE_ANONYMOUS" />

  <form-login login-page="/login.jsp"/>
</http>

<authentication-provider>
    <jdbc-user-service data-source-ref="dataSource" />
</authentication-provider>

但是，我什至无法导航到登录页面并在日志中得到以下错误:

However, I can't even navigate to the login page and get the following error in the log:

警告:登录页面正在 受过滤链保护，但是您 似乎没有匿名 身份验证已启用.差不多了 当然是错误.

WARNING: The login page is being protected by the filter chain, but you don't appear to have anonymous authentication enabled. This is almost certainly an error.

我尝试将ROLE_ANONYMOUS更改为IS_AUTHENTICATED_ANONYMOUSLY，将登录页面更改为index.jsp，login.htm，并添加其他拦截URL值，但是我无法获得它，因此登录页面可访问并且安全适用于其他页面.为了避免这种循环，我必须更改什么?

I've tried changing the ROLE_ANONYMOUS to IS_AUTHENTICATED_ANONYMOUSLY, changing the login-page to index.jsp, login.htm, and adding different intercept-url values, but I can't get it so the login page is accesible and security applies to the other pages. What do I have to change to avoid this loop?

推荐答案

问题是我缺少

<anonymous /> 

security-config.xml 文件的http部分中的

标记，因此我无法匿名进入登录页面.添加此内容后，便可以进入登录页面并进行身份验证.

tag in the http section of the security-config.xml file so I wasn't able to get to the login page anonymously. Once I added this, I was able to get to the login page and authenticate.

这篇关于使用Spring Security的无限循环-即使登录页面应允许匿名访问也受到保护的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！