java Spring mvc/security:从Spring security中排除登录页面
我正在使用spring mvc+security构建一个简单的web应用程序,目前登录时出现问题。如果我想保护/**(基本上所有内容),我无法将登录页面从spring安全性中排除。我的配置是这样的:
春天。安全xml
<http pattern="/login" security="none"/>
<http pattern="/view_register.htm" security="none"/>
<http>
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page="/login" default-target-url="/game" authentication-failure-url="/failedlogin" />
<logout logout-success-url="/login" />
</http>
LoginController
@Controller
public class LoginLogoutController {
@RequestMapping(value="/login", method = RequestMethod.GET)
public String login(ModelMap model) {
return "login";
}
@RequestMapping(value="/failedlogin", method = RequestMethod.GET)
public String loginerror(ModelMap model) {
model.addAttribute("error", "true");
return "login";
}
}
登录。jsp
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
<title>Login Page</title>
<style>
.errorblock {
color: #ff0000;
background-color: #ffEEEE;
border: 3px solid #ff0000;
padding: 8px;
margin: 16px;
}
</style>
</head>
<body onload='document.f.j_username.focus();'>
<h3>Login with Username and Password (Custom Page)</h3>
<c:if test="${not empty error}">
<div class="errorblock">
Your login attempt was not successful, try again.<br /> Caused :
${sessionScope["SPRING_SECURITY_LAST_EXCEPTION"].message}
</div>
</c:if>
<form name='f' action="<c:url value='j_spring_security_check' />"
method='POST'>
<table>
<tr>
<td>User:</td>
<td><input type='text' name='j_username' value=''>
</td>
</tr>
<tr>
<td>Password:</td>
<td><input type='password' name='j_password' />
</td>
</tr>
<tr>
<td colspan='2'><input name="submit" type="submit"
value="submit" />
</td>
</tr>
<tr>
<td>Don't have an account yet.</td>
<td> <a href="<c:url value="view_register.htm" />" > Register here</a>
</td>
</tr>
</table>
</form>
</body>
</html>
我想保护整个应用程序,并排除登录和注册页面。在我当前的配置下,整个安全性表现得非常糟糕。如果我输入了错误的凭证
@RequestMapping(value="/login", method = RequestMethod.GET)
public String login(ModelMap model) {
如果输入正确的用户名/通过,则调用登录失败的控制器方法
发现如果我修改了
<intercept-url pattern="/**" access="ROLE_USER" />
到
<intercept-url pattern="/game*" access="ROLE_USER" />
并移除
<http pattern="/login" security="none"/>
一切正常。这很奇怪,我真的不明白为什么会发生这种事
编辑
刚刚创建了我的示例项目(maven)的一个小版本,并上传到: fileswap。 任何帮助或建议都会很酷,因为我仍然很困惑
共 (0) 个答案