java - 为什么我的 Spring Security 不工作？

Question

我目前正在做一个关于 Spring MVC 的项目，我正在尝试集成 Spring Security。然而我没有这样做，而且我完全不知道我错过了什么。请查看我的代码并提出您的建议。

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:jpa="http://www.springframework.org/schema/data/jpa"
    xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
    http://www.springframework.org/schema/beans/spring-beans.xsd
    http://www.springframework.org/schema/mvc 
    http://www.springframework.org/schema/mvc/spring-mvc.xsd
    http://www.springframework.org/schema/context 
    http://www.springframework.org/schema/context/spring-context.xsd
    http://www.springframework.org/schema/data/jpa
    http://www.springframework.org/schema/data/jpa/spring-jpa.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security.xsd">

    <security:http auto-config="true" use-expressions="true">
        <security:intercept-url pattern="/**"
            access="hasRole('ROLE_ADMIN')" />
        <security:intercept-url pattern="/suser/**"
            access="isAuthenticated()" />
        <!-- <security:intercept-url pattern="/resources/**" access="isAuthenticated()" 
            /> -->
        <!-- <security:form-login login-page="/home" default-target-url="/doctor" 
            authentication-failure-url="/authfailed" username-parameter="email" password-parameter="password" 
            /> <security:logout logout-success-url="/logoutsuccess" /> <security:csrf/> -->
        <!-- <security:csrf disabled="true"/> -->
    </security:http>

    <security:authentication-manager>
        <security:authentication-provider
            user-service-ref="userService">

        </security:authentication-provider>
    </security:authentication-manager>

    <security:jdbc-user-service id="userService"
        data-source-ref="dataSource"
        users-by-username-query="select email , password, true from user where userId=?"
        authorities-by-username-query="select userId ,'ROLE_ADMIN' from user where userId=?" />

</beans>    

同样我的 Controller 是:

@Controller
public class MainController {

    @RequestMapping(value = "/signup", method = RequestMethod.GET)
    public String getSignupPage() {
        return "signup";
    }

    @RequestMapping(value = "/home", method = RequestMethod.GET)
    public ModelAndView getLoginSignupPage() {

        return new ModelAndView("module/loginsignup/loginsignup",StringConstants.PAGE_TITLE,StringConstants.WEB_APP_TITLE);
    }

    @RequestMapping(value = "/index", method = RequestMethod.GET)
    public String getIndexPage() {
        return "index";
    }

    @RequestMapping(value = "/admin", method = RequestMethod.GET)
    public String getAdminPage() {
        return "admin";
    }

    @RequestMapping(value = "/authfailed", method = RequestMethod.GET)
    public String getAuthFailPage() {
        return "autherror";
    }

    @RequestMapping(value = "/logoutsuccess", method = RequestMethod.GET)
    public String getLogoutSuccessPage() {
        return "logoutsuccess";
    }

    @RequestMapping(value = "/suser/test", method = RequestMethod.GET)
    public String getUserPage() {
        return "user";
    }
}

还有我的用户实体:

@Entity
@Table(name="user")
public class User {
    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    @Column
    private long userId;

    @Column
    private String firstName;

    @Column
    private String middleName;

    @Column
    private String lastName;

    @Column
    private String email;

    @Column
    private String password;

    @Column
    private String userStatus;

    @Column
    private Date createdDate;

    @Column
    private Date updatedDate;

    @Column
    private int createdBy;

    @Column
    private int updatedBy;

    @ManyToOne(fetch = FetchType.EAGER)
    @JoinColumn(name = "cityId")
    private City city;

    @ManyToMany(cascade = CascadeType.ALL)
    @JoinTable(name = "user_link_document",
               joinColumns = @JoinColumn(name = "userId"),
               inverseJoinColumns = @JoinColumn(name = "documentId"))
    private List<Document> documentList;

    @OneToMany(fetch = FetchType.LAZY, mappedBy = "user")
    private List<Review> reviewList;

我在 build.gradle 文件中的依赖项:

dependencies {
    compile("org.springframework.boot:spring-boot-starter-data-jpa")
    compile("javax.servlet:jstl:1.2")
    runtime("mysql:mysql-connector-java")
    compile("org.springframework.boot:spring-boot-starter-jdbc")
    compile ("org.springframework.boot:spring-boot-starter-web")
    compile("org.springframework.boot:spring-boot-starter-security")
    providedRuntime("org.springframework.boot:spring-boot-starter-tomcat")
    providedRuntime 'org.apache.tomcat.embed:tomcat-embed-jasper'
}

我对 Spring MVC 的所有配置都是正确的。除了 Spring Security 之外，我对其他任何东西都没有问题。谁能告诉我出了什么问题吗？每当我浏览应用程序时，我都没有看到 Spring Security 应提示用户的登录页面。

Answer 1

您已添加 /** 以限制为 ROLE_ADMIN，它捕获所有 URL。此外，您还没有将 /home URL 添加到 permitAll。

在下面的模式之前，您需要先添加所有无需登录即可访问的公共(public) URL。

<security:intercept-url pattern="/**"
            access="hasRole('ROLE_ADMIN')" />