我在使用 Springs Security 保护两个 URL 时遇到了问题。我想保护/admin/** 和/user/**。主要问题是我有单独的表用于 ADMIN 作为 ADMIN 和 ADMIN_ROLES 以及用于 USER 作为 USER 和 USER_ROLES。我也有单独的管理员和用户登录页面。我在下面分享我的代码。请帮我解决这个问题。
我需要的是,当某些人进入/admin URL 时,它应该显示管理员登录页面并将我重定向到/admin/embassy,当一些人打开/URL 时,它应该进入用户登录页面,成功登录后应该将我重定向到/用户/大使馆。
spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config="true">
<intercept-url pattern="/user/**" access="ROLE_USER" />
<form-login login-page="/" default-target-url="/user/embassy"
authentication-failure-url="/loginfailed" />
<logout invalidate-session="true" logout-success-url="/logout" />
</http>
<authentication-manager>
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="select USERNAME, PASSWORD, ENABLED from USER where USERNAME = ?"
authorities-by-username-query="select u.USERNAME, ur.AUTHORITY from USER u, USER_ROLES ur where u.ID = ur.USER_ID and u.USERNAME =?"
/>
</authentication-provider>
</authentication-manager>
<http auto-config="true">
<intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
<form-login login-page="/admin" default-target-url="/admin/embassy"
authentication-failure-url="/adminloginfailed" />
<logout invalidate-session="true" logout-success-url="/adminlogout" />
</http>
<authentication-manager>
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="select USERNAME, PASSWORD, ENABLED from ADMIN where USERNAME = ?"
authorities-by-username-query="select a.USERNAME, ar.AUTHORITY from ADMIN a, ADMIN_ROLES ar where a.ID = ar.USER_ID and a.USERNAME =?"
/>
</authentication-provider>
</authentication-manager>
web.xml
<?xml version="1.0" encoding="utf-8" standalone="no"?><web-app
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="2.5"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<servlet>
<servlet-name>Admin</servlet-name>
<servlet-class>
org.springframework.web.servlet.DispatcherServlet
</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Admin</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>User</servlet-name>
<servlet-class>
org.springframework.web.servlet.DispatcherServlet
</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>User</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/User-servlet.xml,
/WEB-INF/Admin-servlet.xml,
/WEB-INF/Spring-Datasource.xml,
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<welcome-file-list>
<welcome-file>index</welcome-file>
</welcome-file-list>
<servlet>
<servlet-name>SystemServiceServlet</servlet-name>
<servlet-class>com.google.api.server.spi.SystemServiceServlet</servlet-class>
<init-param>
<param-name>services</param-name>
<param-value/>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>SystemServiceServlet</servlet-name>
<url-pattern>/_ah/spi/*</url-pattern>
</servlet-mapping>
最佳答案
看了评论我猜你对单表没问题
所以我假设它。
所以你的 spring-security.xml 应该是这样的:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config="true">
<intercept-url pattern="/user/**" access="ROLE_USER" />
<intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
<form-login login-page="/" authentication-success-handler-ref="mySuccessHandler"
authentication-failure-url="/loginfailed" />
<logout invalidate-session="true" logout-success-url="/logout" />
</http>
<authentication-manager>
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="select USERNAME, PASSWORD, ENABLED from USER where USERNAME = ?"
authorities-by-username-query="select u.USERNAME, ur.AUTHORITY from USER u, USER_ROLES ur where u.ID = ur.USER_ID and u.USERNAME =?" />
</authentication-provider>
</authentication-manager>
我假设您所有的用户和管理员现在都在用户表中。
现在暗示。 AuthenticationSuccessHandler ,并将其注册为与上述 athentication-success-handler-ref 的值同名的 bean,重定向到您想要的页面。
public class MySuccessHandler implements AuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication authentication)
throws IOException, ServletException {
Set<String> roles = AuthorityUtils.authorityListToSet(authentication.getAuthorities());
if (roles.contains("ROLE_ADMIN")){
response.sendRedirect("/admin/embassy");
return;
}
response.sendRedirect("/user/embassy");
}
}
所以我们添加到spring-security.xml
<beans:bean id="mySuccessHandler" class="my.domain.MySuccessHandler" />
关于java - 在 spring security 中保护两个或更多/** url,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/14037424/