为什么 Spring Security 不起作用? [英] Why is Spring Security not working?

问题描述

我正在尝试将 Spring Security 集成到我的项目中.

我遵循了此处给出的文档:https://spring.io/guides/gs/securing-web/>

我没有使用 Spring Boot，而是使用 XML 配置了所有内容.

我的 web.xml 是:

<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class></监听器><小服务程序><servlet-name>调度程序</servlet-name><servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class><启动时加载>1</启动时加载></servlet><servlet-mapping><servlet-name>默认</servlet-name><url-pattern>*.css</url-pattern></servlet-mapping><servlet-mapping><servlet-name>默认</servlet-name><url-pattern>*.js</url-pattern></servlet-mapping><servlet-mapping><servlet-name>调度程序</servlet-name><url-pattern>/</url-pattern></servlet-mapping>

dispatcher-servlet.xml:

<bean id="解析器"class="org.springframework.web.servlet.view.InternalResourceViewResolver"><属性名称=视图类"value="org.springframework.web.servlet.view.JstlView"/><property name="prefix" value="/WEB-INF/"/><property name="suffix" value=".jsp"/></bean>

我的视图控制器是:

@Controller公共类 HomeController{@RequestMapping(value={"/", "/home"}, method = RequestMethod.GET)公共 ModelAndView 家(){ModelAndView 模型 = new ModelAndView("home");退货模式；}@RequestMapping(value={"/hello"}, method = RequestMethod.GET)公共 ModelAndView hello() {ModelAndView 模型 = new ModelAndView("你好");退货模式；}@RequestMapping(value={"/login"}, method = RequestMethod.GET)公共 ModelAndView 登录(){ModelAndView 模型 = new ModelAndView("登录");退货模式；}}

我的安全类:

@Configuration@启用网络安全公共类 WebSecurityConfig 扩展了 WebSecurityConfigurerAdapter {@覆盖protected void configure(HttpSecurity http) 抛出异常 {http.authorizeRequests().antMatchers("/", "/home").permitAll().anyRequest().authenticated().和().formLogin().loginPage("/登录").permitAll().和().登出().permitAll();}@自动连线public void configureGlobal(AuthenticationManagerBuilder auth) 抛出异常 {授权.inMemoryAuthentication().withUser("user").password("password").roles("USER");}}

但是，我可以访问所有页面，/、/home、/hello、/login.

我不希望用户直接访问/hello，而不进入/login.

我做错了什么?

解决方案

我遇到了同样的问题.

我的解决方案在 Craig Walls p247 的Spring in action"一书中提到.您需要创建一个扩展 AbstractSecurityWebApplicationInitializer 的空类.

public class SecurityWebInitializer 扩展 AbstractSecurityWebApplicationInitializer {}

I am trying to integrate Spring Security in my project.

I have followed the documentation given here: https://spring.io/guides/gs/securing-web/

Instead of Spring Boot, I have configured everything using XML.

My web.xml is:

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<servlet>
    <servlet-name>dispatcher</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>default</servlet-name>
    <url-pattern>*.css</url-pattern>
</servlet-mapping>

<servlet-mapping>
    <servlet-name>default</servlet-name>
    <url-pattern>*.js</url-pattern>
</servlet-mapping>

<servlet-mapping>
    <servlet-name>dispatcher</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

dispatcher-servlet.xml:

<context:component-scan base-package="com.name.ot" />

<bean id="resolver"
    class="org.springframework.web.servlet.view.InternalResourceViewResolver">
    <property name="viewClass"
        value="org.springframework.web.servlet.view.JstlView" />
    <property name="prefix" value="/WEB-INF/" />
    <property name="suffix" value=".jsp" />
</bean>

And my view controller is:

@Controller
public class HomeController{

    @RequestMapping(value={"/", "/home"}, method = RequestMethod.GET)
    public ModelAndView home() {

        ModelAndView model = new ModelAndView("home");
        return model;
    }

    @RequestMapping(value={"/hello"}, method = RequestMethod.GET)
    public ModelAndView hello() {

        ModelAndView model = new ModelAndView("hello");
        return model;
    }

    @RequestMapping(value={"/login"}, method = RequestMethod.GET)
    public ModelAndView login() {

        ModelAndView model = new ModelAndView("login");
        return model;
    }
}

My security class:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/", "/home").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/login")
                .permitAll()
                .and()
            .logout()
                .permitAll();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
                .withUser("user").password("password").roles("USER");
    }
}

But, I am able to access all the pages, /, /home, /hello, /login.

I don't want the user to directly access /hello, without going in /login.

What am I doing wrong?

解决方案

I had the same issue.

My solution is as mentioned in the "Spring in action" book by Craig Walls p247. You need to create an empty class that extends AbstractSecurityWebApplicationInitializer.

public class SecurityWebInitializer extends AbstractSecurityWebApplicationInitializer {}

这篇关于为什么 Spring Security 不起作用?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！