Python中文网

一个关于 编程问题的解答网站.

有 Java 编程相关的问题?

你可以在下面搜索框中键入要查询的问题!

端口8443上通过ssl的java Spring安全登录在使用http协议的端口8080上无法识别

1 年,2 月 Questions & Answers

我在试图保护我的登录表单时遇到了一种奇怪的行为

我的应用程序是在Spring框架和Spring Security上开发的,部署在Tomcat服务器上。 只要使用http,一切都可以正常工作,但当我使用https 8443端口登录页面时,在成功登录和重定向lohttp://localhost:8080/mens/index后,我会被重定向到https://localhost:8443/mens/login.html的登录页面

这是我的spring security配置的一部分。xml:

<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true">
    <custom-filter position="SWITCH_USER_FILTER" ref="switchUserProcessingFilter" />
    <intercept-url pattern="/j_spring_security_switch_user" access="hasRole('ROLE_SUPERVISOR')"/>

    <session-management invalid-session-url="/login.html?invalidSession=1" session-fixation-protection="newSession">
        <concurrency-control max-sessions="10" error-if-maximum-exceeded="true"/>
    </session-management>

    <intercept-url pattern="/login.html" access="hasRole('ROLE_ANONYMOUS')" requires-channel="https"/>
    <intercept-url pattern="/resources/**" access="permitAll" requires-channel="any"/>
    <intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" requires-channel="http"/>
    <intercept-url pattern="/rest/**" access="hasRole('ROLE_USER')" requires-channel="http"/>
    <intercept-url pattern="/index" access="hasRole('ROLE_USER')" requires-channel="http"/>
    <intercept-url pattern="/upload/**" access="hasRole('ROLE_USER')" requires-channel="http"/>

    <headers>
        <xss-protection block="false"/>
        <frame-options disabled="true"/>
        <cache-control/>
    </headers>

    <!-- access denied page -->
    <access-denied-handler error-page="/403" />
    <form-login 
        login-page="/login.html" 
        default-target-url="/index" 
        always-use-default-target="true"
        authentication-failure-url="/login.html?error=1" 
        username-parameter="username" 
        password-parameter="password"/>
    <logout logout-success-url="/login.html?logout=1" invalidate-session="false" delete-cookies="JSESSIONID"/>
    <!-- enable csrf protection -->
    <!-- <csrf disabled="true" /> -->
</http>

或者,我尝试使用channelProcessingFilter而不是requires channel属性:

<http auto-config="true" use-expressions="true">
    <custom-filter position="CHANNEL_FILTER" ref="channelProcessingFilter"/>

    <custom-filter position="SWITCH_USER_FILTER" ref="switchUserProcessingFilter" />
    <intercept-url pattern="/j_spring_security_switch_user" access="hasRole('ROLE_SUPERVISOR')"/>

    <session-management invalid-session-url="/login.html?invalidSession=1" session-fixation-protection="newSession">
        <concurrency-control max-sessions="10" error-if-maximum-exceeded="true"/>
    </session-management>

    <intercept-url pattern="/login.html" access="hasRole('ROLE_ANONYMOUS')"/>
    <intercept-url pattern="/resources/**" access="permitAll"/>
    <intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')"/>
    <intercept-url pattern="/rest/**" access="hasRole('ROLE_USER')"/>
    <intercept-url pattern="/index" access="hasRole('ROLE_USER')"/>
    <intercept-url pattern="/upload/**" access="hasRole('ROLE_USER')"/>

    <headers>
        <xss-protection block="false"/>
        <frame-options disabled="true"/>
        <cache-control/>
    </headers>

    <!-- access denied page -->
    <access-denied-handler error-page="/403" />
    <form-login 
        login-page="/login.html" 
        default-target-url="/index" 
        always-use-default-target="true"
        authentication-failure-url="/login.html?error=1" 
        username-parameter="username" 
        password-parameter="password"/>
    <logout logout-success-url="/login.html?logout=1" invalidate-session="false" delete-cookies="JSESSIONID"/>
    <!-- enable csrf protection -->
    <!-- <csrf disabled="true" /> -->
</http>

<beans:bean id="channelProcessingFilter" class="org.springframework.security.web.access.channel.ChannelProcessingFilter">
    <beans:property name="channelDecisionManager" ref="channelDecisionManager"/>
    <beans:property name="securityMetadataSource">
        <filter-security-metadata-source request-matcher="regex">
            <intercept-url pattern="\A/login.*\Z" access="REQUIRES_SECURE_CHANNEL"/>
            <intercept-url pattern="\A/login.html.*\Z" access="REQUIRES_SECURE_CHANNEL"/>
            <intercept-url pattern="\A/.*\Z" access="ANY_CHANNEL"/>
        </filter-security-metadata-source>
    </beans:property>
</beans:bean>

<beans:bean id="channelDecisionManager" class="org.springframework.security.web.access.channel.ChannelDecisionManagerImpl">
    <beans:property name="channelProcessors">
        <beans:list>
            <beans:ref bean="secureChannelProcessor"/>
            <beans:ref bean="insecureChannelProcessor"/>
            <beans:ref bean="anyChannelProcessor"/>
        </beans:list>
    </beans:property>
</beans:bean>

<beans:bean id="secureChannelProcessor" class="com.mycompany.mens.springsecurity.MensSecureChannelProcessor"/>
<beans:bean id="insecureChannelProcessor" class="com.mycompany.mens.springsecurity.MensInsecureChannelProcessor"/>
<beans:bean id="anyChannelProcessor" class="com.mycompany.mens.springsecurity.MensAnyChannelProcessor">
    <beans:property name="entryPoint" ref="mensRetryWithHttpEntryPoint"/>
</beans:bean>

<beans:bean name="mensRetryWithHttpEntryPoint" class="com.mycompany.mens.springsecurity.MensRetryWithHttpEntryPoint"/>

调试我发现身份验证成功了,入口点将流重定向到http端口8080上的索引页,但在那之后,有东西将我重定向到另一次登录

有什么建议吗

非常感谢您的帮助


共 (0) 个答案