不允许使用 Spring Security j_spring_security_check 的 Spring Boot [英] Spring boot with Spring Security j_spring_security_check not allowed

问题描述

我的 Spring 安全配置

My Spring Security Config

@Configuration
@EnableWebSecurity
@ComponentScan({"org.app.genesis.client.auth"})
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private AuthenticationProvider customAuthProvider;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(customAuthProvider);
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .and()
            .formLogin().loginPage("/").failureUrl("/?error")
            .and()
            .logout().logoutSuccessUrl("/?logout")
            .and()
            .csrf();
    }
}

我的 application.properties

my application.properties

spring.view.prefix: /WEB-INF/jsp/
spring.view.suffix: .jsp
security.basic.enabled=false
logging.level.org.springframework.security=INFO

我的 Spring 启动配置

my Spring boot configuration

@SpringBootApplication
@ComponentScan({"org.app.genesis.client.controller","org.app.genesis.commons.service",
    "org.app.genesis.commons.security","org.app.genesis.inventory.service","org.app.genesis.client.auth"})
@EnableJpaRepositories(basePackages = "org.app.genesis.*.repo")
@EntityScan(basePackages = "org.app.genesis.*.model")
public class Application extends SpringBootServletInitializer {

    public static void main(String[] args) {
        ApplicationContext ctx = SpringApplication.run(Application.class, args);
    }

    @Override
    protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
        return application.sources(Application.class);
    }

}

我的 pom.xml 的要点

A Gist of my pom.xml

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-tomcat</artifactId>
    <scope>provided</scope>
</dependency>
<!-- Spring Framework Dependencies -->
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
</dependency>

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-actuator</artifactId>
</dependency>
<dependency>
    <groupId>org.apache.tomcat.embed</groupId>
    <artifactId>tomcat-embed-jasper</artifactId>
    <scope>provided</scope>
</dependency>
<dependency>
    <groupId>javax.servlet</groupId>
    <artifactId>jstl</artifactId>
    <scope>provided</scope>
</dependency>

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

登录表单

<form class="form-signin"name="f" action="${pageContext.request.contextPath}/j_spring_security_check" method="POST">
            <fieldset>
                    <input class="form-control form-group" type="text" name="j_username" placeholder="Username">
                    <input class="form-control" type="password" name="j_password" placeholder="Password" >
                    <a class="forgot pull-right" href="#">Forgot password?</a>
                    <button name="submit" class="btn btn-block btn-primary" type="submit">Sign in</button>
            </fieldset>
        </form>

生成页面的控制器

@RequestMapping(value="/")
public String index() {
    return "index";
}

但是登录后显示这个错误

However upon logging in this error shows

我正在尝试在注释上迁移我现有的 security.xml 配置.但是会弹出上述错误.这是我的 security.xml

I am trying to migrate my existing security.xml configuration on annotation. but however the said error pops up. here is my security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:context="http://www.springframework.org/schema/context"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
           http://www.springframework.org/schema/security
           http://www.springframework.org/schema/security/spring-security.xsd
           http://www.springframework.org/schema/context
    http://www.springframework.org/schema/context/spring-context.xsd">

    <context:component-scan base-package="org.brightworks.genesis.client.auth"/>

    <http pattern="/resources/**" security="none"/>
    <http pattern="/index.jsp" security="none"/>

    <http>
        <intercept-url pattern="/api/*" requires-channel="https"/>
        <!--TODO Add RESOURCE PATTERN checker -->
        <form-login login-page="/index.jsp" default-target-url="/dashboard"/>
        <logout />
    </http>

    <!-- Test Login values -->
    <authentication-manager>
        <!--use inMemoryUserDetailsService for faux auth -->
        <authentication-provider ref="customAuthenticationProvider"/>
    </authentication-manager>
</beans:beans>

以防万一你们需要查看包结构

Just in case you guys need to see the package structure

我是否遗漏了配置中的任何内容?

Have I missed anything in the configurations?

推荐答案

从下面的链接中，您可以看到注解 java config 的内容如下

From the below link, you can see that for annotation java config the following things hold

http://spring.io/blog/2013/07/03/spring-security-java-config-preview-web-security/

1. GET/login 呈现登录页面而不是/spring_security_login

POST/login 验证用户而不是/j_spring_security_check

您需要进行以下更改才能使您的安全工作.

You need to make the following changes to get your security working.

按如下方式更改您的 spring 安全配置

    @Override
    protected void configure(HttpSecurity http) throws Exception {  http
        .authorizeRequests()
            .antMatchers("/login").permitAll()
            .anyRequest().authenticated()
            .and()
        .formLogin()
            .loginPage("/login/")
            .loginProcessingUrl("/login")
            .failureUrl("/login?error")
            .permitAll();
    }

您的 JSP 应该是(j_spring_security_check 替换为登录名，j_username 替换为用户名)

<form class="form-signin"name="f" action="${pageContext.request.contextPath}/login" method="POST">
            <fieldset>
                    <input class="form-control form-group" type="text" name="username" placeholder="Username">
                    <input class="form-control" type="password" name="password" placeholder="Password" >
                    <a class="forgot pull-right" href="#">Forgot password?</a>
                    <button name="submit" class="btn btn-block btn-primary" type="submit">Sign in</button>
            </fieldset>
        </form>

要将仪表板指定为默认目标 URL，您可以执行以下操作.

@Override
public void addViewControllers(ViewControllerRegistry registry) {
    registry.addViewController("/login").setViewName("login");
    registry.addViewController("/").setViewName("dashboard");
    registry.addViewController("/dashboard").setViewName("dashboard");
}

这篇关于不允许使用 Spring Security j_spring_security_check 的 Spring Boot的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！