端口8443上通过ssl的java Spring安全登录在使用http协议的端口8080上无法识别
我在试图保护我的登录表单时遇到了一种奇怪的行为
我的应用程序是在Spring框架和Spring Security上开发的,部署在Tomcat服务器上。 只要使用http,一切都可以正常工作,但当我使用https 8443端口登录页面时,在成功登录和重定向lohttp://localhost:8080/mens/index后,我会被重定向到https://localhost:8443/mens/login.html的登录页面
这是我的spring security配置的一部分。xml:
<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true">
<custom-filter position="SWITCH_USER_FILTER" ref="switchUserProcessingFilter" />
<intercept-url pattern="/j_spring_security_switch_user" access="hasRole('ROLE_SUPERVISOR')"/>
<session-management invalid-session-url="/login.html?invalidSession=1" session-fixation-protection="newSession">
<concurrency-control max-sessions="10" error-if-maximum-exceeded="true"/>
</session-management>
<intercept-url pattern="/login.html" access="hasRole('ROLE_ANONYMOUS')" requires-channel="https"/>
<intercept-url pattern="/resources/**" access="permitAll" requires-channel="any"/>
<intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" requires-channel="http"/>
<intercept-url pattern="/rest/**" access="hasRole('ROLE_USER')" requires-channel="http"/>
<intercept-url pattern="/index" access="hasRole('ROLE_USER')" requires-channel="http"/>
<intercept-url pattern="/upload/**" access="hasRole('ROLE_USER')" requires-channel="http"/>
<headers>
<xss-protection block="false"/>
<frame-options disabled="true"/>
<cache-control/>
</headers>
<!-- access denied page -->
<access-denied-handler error-page="/403" />
<form-login
login-page="/login.html"
default-target-url="/index"
always-use-default-target="true"
authentication-failure-url="/login.html?error=1"
username-parameter="username"
password-parameter="password"/>
<logout logout-success-url="/login.html?logout=1" invalidate-session="false" delete-cookies="JSESSIONID"/>
<!-- enable csrf protection -->
<!-- <csrf disabled="true" /> -->
</http>
或者,我尝试使用channelProcessingFilter而不是requires channel属性:
<http auto-config="true" use-expressions="true">
<custom-filter position="CHANNEL_FILTER" ref="channelProcessingFilter"/>
<custom-filter position="SWITCH_USER_FILTER" ref="switchUserProcessingFilter" />
<intercept-url pattern="/j_spring_security_switch_user" access="hasRole('ROLE_SUPERVISOR')"/>
<session-management invalid-session-url="/login.html?invalidSession=1" session-fixation-protection="newSession">
<concurrency-control max-sessions="10" error-if-maximum-exceeded="true"/>
</session-management>
<intercept-url pattern="/login.html" access="hasRole('ROLE_ANONYMOUS')"/>
<intercept-url pattern="/resources/**" access="permitAll"/>
<intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/rest/**" access="hasRole('ROLE_USER')"/>
<intercept-url pattern="/index" access="hasRole('ROLE_USER')"/>
<intercept-url pattern="/upload/**" access="hasRole('ROLE_USER')"/>
<headers>
<xss-protection block="false"/>
<frame-options disabled="true"/>
<cache-control/>
</headers>
<!-- access denied page -->
<access-denied-handler error-page="/403" />
<form-login
login-page="/login.html"
default-target-url="/index"
always-use-default-target="true"
authentication-failure-url="/login.html?error=1"
username-parameter="username"
password-parameter="password"/>
<logout logout-success-url="/login.html?logout=1" invalidate-session="false" delete-cookies="JSESSIONID"/>
<!-- enable csrf protection -->
<!-- <csrf disabled="true" /> -->
</http>
<beans:bean id="channelProcessingFilter" class="org.springframework.security.web.access.channel.ChannelProcessingFilter">
<beans:property name="channelDecisionManager" ref="channelDecisionManager"/>
<beans:property name="securityMetadataSource">
<filter-security-metadata-source request-matcher="regex">
<intercept-url pattern="\A/login.*\Z" access="REQUIRES_SECURE_CHANNEL"/>
<intercept-url pattern="\A/login.html.*\Z" access="REQUIRES_SECURE_CHANNEL"/>
<intercept-url pattern="\A/.*\Z" access="ANY_CHANNEL"/>
</filter-security-metadata-source>
</beans:property>
</beans:bean>
<beans:bean id="channelDecisionManager" class="org.springframework.security.web.access.channel.ChannelDecisionManagerImpl">
<beans:property name="channelProcessors">
<beans:list>
<beans:ref bean="secureChannelProcessor"/>
<beans:ref bean="insecureChannelProcessor"/>
<beans:ref bean="anyChannelProcessor"/>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id="secureChannelProcessor" class="com.mycompany.mens.springsecurity.MensSecureChannelProcessor"/>
<beans:bean id="insecureChannelProcessor" class="com.mycompany.mens.springsecurity.MensInsecureChannelProcessor"/>
<beans:bean id="anyChannelProcessor" class="com.mycompany.mens.springsecurity.MensAnyChannelProcessor">
<beans:property name="entryPoint" ref="mensRetryWithHttpEntryPoint"/>
</beans:bean>
<beans:bean name="mensRetryWithHttpEntryPoint" class="com.mycompany.mens.springsecurity.MensRetryWithHttpEntryPoint"/>
调试我发现身份验证成功了,入口点将流重定向到http端口8080上的索引页,但在那之后,有东西将我重定向到另一次登录
有什么建议吗
非常感谢您的帮助
共 (0) 个答案