Spring 版: 2.5.6 SEC01
Spring 安全版本: 3.0.0 RC1
我正在尝试将 Spring Security 与 Spring MVC 应用程序集成。安全部分主要基于 Spring Security 附带的示例应用程序。我已经定义了一些需要特定角色才能访问它们的页面,正如预期的那样,当在未登录的情况下访问它们时,会出现登录页面(我已经定义了自己的登录页面)。问题是,即使我输入了正确的用户名和密码,我也会被退回到登录页面。我不完全确定这是 Spring Security 问题还是 Spring MVC 问题,但让我们先尝试前者。我有请求的日志记录,所以也许更熟悉它们的人能够发现一些东西。
有相当多的日志记录(似乎超过了一篇文章所允许的范围),所以我只包含了最有趣的部分。据我所知,用户“rod”登录成功,一切似乎都正常,直到时间 14:30:28,222 的行,我看到 Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser;...从此用户再次被视为匿名。
这是在输入正确的用户名和密码后导致返回登录页面的调试:
14:30:28,192 DEBUG FilterChainProxy:176 - Converted URL to lowercase, from: '/j_spring_security_check'; to: '/j_spring_security_check'
14:30:28,192 DEBUG FilterChainProxy:183 - Candidate is: '/j_spring_security_check'; pattern is /**; matched=true
14:30:28,192 DEBUG FilterChainProxy:351 - /j_spring_security_check at position 1 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.access.channel.ChannelProcessingFilter@2a4e37fb'
14:30:28,193 DEBUG DefaultFilterInvocationSecurityMetadataSource:177 - Converted URL to lowercase, from: '/j_spring_security_check'; to: '/j_spring_security_check'
14:30:28,193 DEBUG DefaultFilterInvocationSecurityMetadataSource:204 - Candidate is: '/j_spring_security_check'; pattern is /login.htm; matched=false
14:30:28,193 DEBUG FilterChainProxy:351 - /j_spring_security_check at position 2 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.session.ConcurrentSessionFilter@753d556f'
14:30:28,193 DEBUG FilterChainProxy:351 - /j_spring_security_check at position 3 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.context.SecurityContextPersistenceFilter@db4268b'
14:30:28,194 DEBUG HttpSessionSecurityContextRepository:145 - HttpSession returned null object for SPRING_SECURITY_CONTEXT
14:30:28,194 DEBUG HttpSessionSecurityContextRepository:91 - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@2e4e76b4. A new one will be created.
14:30:28,194 DEBUG FilterChainProxy:351 - /j_spring_security_check at position 4 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.logout.LogoutFilter@21533b2c'
14:30:28,194 DEBUG FilterChainProxy:351 - /j_spring_security_check at position 5 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@5f51d6cb'
14:30:28,194 DEBUG UsernamePasswordAuthenticationFilter:194 - Request is to process authentication
14:30:28,197 DEBUG ProviderManager:118 - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
14:30:28,203 DEBUG ConcurrentSessionControlStrategy:82 - Invalidating session with Id 'F281373E7B726C52448CDBB845DC0FA0' and migrating attributes.
14:30:28,204 DEBUG ConcurrentSessionControlStrategy:92 - Started new session: 24853B27E3FF94289CBB879FEA7EE27A
14:30:28,204 DEBUG SessionRegistryImpl:115 - Registering session 24853B27E3FF94289CBB879FEA7EE27A, for principal org.springframework.security.core.userdetails.User@2117c700: Username: rod; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SUPERVISOR, ROLE_TELLER, ROLE_USER
14:30:28,205 DEBUG UsernamePasswordAuthenticationFilter:290 - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@86589b6c: Principal: org.springframework.security.core.userdetails.User@2117c700: Username: rod; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SUPERVISOR, ROLE_TELLER, ROLE_USER; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe9938: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: F281373E7B726C52448CDBB845DC0FA0; Granted Authorities: ROLE_SUPERVISOR, ROLE_TELLER, ROLE_USER
14:30:28,205 DEBUG SavedRequestAwareAuthenticationSuccessHandler:78 - Redirecting to DefaultSavedRequest Url: http://localhost:8080/vicinity/member/member_home.htm
14:30:28,206 DEBUG DefaultRedirectStrategy:55 - Redirecting to 'http://localhost:8080/vicinity/member/member_home.htm'
14:30:28,206 DEBUG HttpSessionSecurityContextRepository:332 - SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@86589b6c: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@86589b6c: Principal: org.springframework.security.core.userdetails.User@2117c700: Username: rod; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SUPERVISOR, ROLE_TELLER, ROLE_USER; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe9938: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: F281373E7B726C52448CDBB845DC0FA0; Granted Authorities: ROLE_SUPERVISOR, ROLE_TELLER, ROLE_USER'
14:30:28,207 DEBUG SecurityContextPersistenceFilter:90 - SecurityContextHolder now cleared, as request processing completed
14:30:28,217 DEBUG FilterChainProxy:176 - Converted URL to lowercase, from: '/member/member_home.htm'; to: '/member/member_home.htm'
14:30:28,217 DEBUG FilterChainProxy:183 - Candidate is: '/member/member_home.htm'; pattern is /**; matched=true
14:30:28,217 DEBUG FilterChainProxy:351 - /member/member_home.htm at position 1 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.access.channel.ChannelProcessingFilter@2a4e37fb'
14:30:28,217 DEBUG DefaultFilterInvocationSecurityMetadataSource:177 - Converted URL to lowercase, from: '/member/member_home.htm'; to: '/member/member_home.htm'
14:30:28,218 DEBUG DefaultFilterInvocationSecurityMetadataSource:204 - Candidate is: '/member/member_home.htm'; pattern is /login.htm; matched=false
14:30:28,218 DEBUG FilterChainProxy:351 - /member/member_home.htm at position 2 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.session.ConcurrentSessionFilter@753d556f'
14:30:28,218 DEBUG FilterChainProxy:351 - /member/member_home.htm at position 3 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.context.SecurityContextPersistenceFilter@db4268b'
14:30:28,218 DEBUG HttpSessionSecurityContextRepository:133 - No HttpSession currently exists
14:30:28,218 DEBUG HttpSessionSecurityContextRepository:91 - No SecurityContext was available from the HttpSession: null. A new one will be created.
14:30:28,219 DEBUG FilterChainProxy:351 - /member/member_home.htm at position 4 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.logout.LogoutFilter@21533b2c'
14:30:28,219 DEBUG FilterChainProxy:351 - /member/member_home.htm at position 5 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@5f51d6cb'
14:30:28,219 DEBUG FilterChainProxy:351 - /member/member_home.htm at position 6 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.www.BasicAuthenticationFilter@75ecda50'
14:30:28,219 DEBUG BasicAuthenticationFilter:118 - Authorization header: null
14:30:28,219 DEBUG FilterChainProxy:351 - /member/member_home.htm at position 7 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.savedrequest.RequestCacheAwareFilter@10f0f6ac'
14:30:28,220 DEBUG FilterChainProxy:351 - /member/member_home.htm at position 8 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@3bd29ee4'
14:30:28,220 DEBUG FilterChainProxy:351 - /member/member_home.htm at position 9 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.AnonymousAuthenticationFilter@bda96b'
14:30:28,220 DEBUG AnonymousAuthenticationFilter:98 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
14:30:28,220 DEBUG FilterChainProxy:351 - /member/member_home.htm at position 10 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.session.SessionManagementFilter@23bdb02e'
14:30:28,221 DEBUG FilterChainProxy:351 - /member/member_home.htm at position 11 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.access.ExceptionTranslationFilter@7a79ae56'
14:30:28,221 DEBUG FilterChainProxy:351 - /member/member_home.htm at position 12 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.access.intercept.FilterSecurityInterceptor@4aa4ceeb'
14:30:28,221 DEBUG DefaultFilterInvocationSecurityMetadataSource:177 - Converted URL to lowercase, from: '/member/member_home.htm'; to: '/member/member_home.htm'
14:30:28,222 DEBUG DefaultFilterInvocationSecurityMetadataSource:204 - Candidate is: '/member/member_home.htm'; pattern is /member/**; matched=true
14:30:28,222 DEBUG FilterSecurityInterceptor:192 - Secure object: FilterInvocation: URL: /member/member_home.htm; Attributes: [ROLE_TELLER]
14:30:28,222 DEBUG FilterSecurityInterceptor:293 - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
14:30:28,222 DEBUG AffirmativeBased:53 - Voter: org.springframework.security.access.vote.RoleVoter@a0ccc96, returned: -1
14:30:28,223 DEBUG AffirmativeBased:53 - Voter: org.springframework.security.access.vote.AuthenticatedVoter@4e4b9101, returned: 0
14:30:28,223 DEBUG ExceptionTranslationFilter:154 - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:71)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:204)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:107)
SNIP...
14:30:28,224 DEBUG HttpSessionRequestCache:39 - DefaultSavedRequest added to Session: DefaultSavedRequest[http://localhost:8080/vicinity/member/member_home.htm]
14:30:28,225 DEBUG ExceptionTranslationFilter:178 - Calling Authentication entry point.
14:30:28,225 DEBUG DefaultRedirectStrategy:55 - Redirecting to 'http://localhost:8080/vicinity/login.htm'
14:30:28,225 DEBUG SecurityContextPersistenceFilter:90 - SecurityContextHolder now cleared, as request processing completed
14:30:28,227 DEBUG FilterChainProxy:176 - Converted URL to lowercase, from: '/login.htm'; to: '/login.htm'
14:30:28,228 DEBUG FilterChainProxy:183 - Candidate is: '/login.htm'; pattern is /**; matched=true
14:30:28,228 DEBUG FilterChainProxy:351 - /login.htm at position 1 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.access.channel.ChannelProcessingFilter@2a4e37fb'
14:30:28,228 DEBUG DefaultFilterInvocationSecurityMetadataSource:177 - Converted URL to lowercase, from: '/login.htm'; to: '/login.htm'
14:30:28,228 DEBUG DefaultFilterInvocationSecurityMetadataSource:204 - Candidate is: '/login.htm'; pattern is /login.htm; matched=true
14:30:28,229 DEBUG ChannelProcessingFilter:100 - Request: FilterInvocation: URL: /login.htm; ConfigAttributes: [REQUIRES_SECURE_CHANNEL]
14:30:28,229 DEBUG RetryWithHttpsEntryPoint:65 - Redirecting to: https://localhost:8443/vicinity/login.htm
14:30:28,231 DEBUG FilterChainProxy:176 - Converted URL to lowercase, from: '/login.htm'; to: '/login.htm'
14:30:28,231 DEBUG FilterChainProxy:183 - Candidate is: '/login.htm'; pattern is /**; matched=true
14:30:28,231 DEBUG FilterChainProxy:351 - /login.htm at position 1 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.access.channel.ChannelProcessingFilter@2a4e37fb'
14:30:28,232 DEBUG DefaultFilterInvocationSecurityMetadataSource:177 - Converted URL to lowercase, from: '/login.htm'; to: '/login.htm'
14:30:28,232 DEBUG DefaultFilterInvocationSecurityMetadataSource:204 - Candidate is: '/login.htm'; pattern is /login.htm; matched=true
14:30:28,232 DEBUG ChannelProcessingFilter:100 - Request: FilterInvocation: URL: /login.htm; ConfigAttributes: [REQUIRES_SECURE_CHANNEL]
14:30:28,232 DEBUG FilterChainProxy:351 - /login.htm at position 2 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.session.ConcurrentSessionFilter@753d556f'
14:30:28,232 DEBUG FilterChainProxy:351 - /login.htm at position 3 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.context.SecurityContextPersistenceFilter@db4268b'
14:30:28,233 DEBUG HttpSessionSecurityContextRepository:145 - HttpSession returned null object for SPRING_SECURITY_CONTEXT
14:30:28,233 DEBUG HttpSessionSecurityContextRepository:91 - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@384e9bea. A new one will be created.
14:30:28,233 DEBUG FilterChainProxy:351 - /login.htm at position 4 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.logout.LogoutFilter@21533b2c'
14:30:28,233 DEBUG FilterChainProxy:351 - /login.htm at position 5 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@5f51d6cb'
14:30:28,234 DEBUG FilterChainProxy:351 - /login.htm at position 6 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.www.BasicAuthenticationFilter@75ecda50'
14:30:28,234 DEBUG BasicAuthenticationFilter:118 - Authorization header: null
14:30:28,234 DEBUG FilterChainProxy:351 - /login.htm at position 7 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.savedrequest.RequestCacheAwareFilter@10f0f6ac'
14:30:28,235 DEBUG DefaultSavedRequest:309 - pathInfo: both null (property equals)
14:30:28,235 DEBUG DefaultSavedRequest:309 - queryString: both null (property equals)
14:30:28,235 DEBUG DefaultSavedRequest:331 - requestURI: arg1=/vicinity/member/member_home.htm; arg2=/vicinity/login.htm (property not equals)
14:30:28,235 DEBUG HttpSessionRequestCache:72 - saved request doesn't match
14:30:28,236 DEBUG FilterChainProxy:351 - /login.htm at position 8 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@3bd29ee4'
14:30:28,236 DEBUG FilterChainProxy:351 - /login.htm at position 9 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.AnonymousAuthenticationFilter@bda96b'
14:30:28,236 DEBUG AnonymousAuthenticationFilter:98 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6fa843a8: Principal: anonymousUser; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffd3270: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: DC9231E2B140D2F7D720A3B171B52CCF; Granted Authorities: ROLE_ANONYMOUS'
14:30:28,237 DEBUG FilterChainProxy:351 - /login.htm at position 10 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.session.SessionManagementFilter@23bdb02e'
14:30:28,237 DEBUG FilterChainProxy:351 - /login.htm at position 11 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.access.ExceptionTranslationFilter@7a79ae56'
14:30:28,237 DEBUG FilterChainProxy:351 - /login.htm at position 12 of 12 in additional filter chain; firing Filter: 'org.springframework.security.web.access.intercept.FilterSecurityInterceptor@4aa4ceeb'
14:30:28,237 DEBUG DefaultFilterInvocationSecurityMetadataSource:177 - Converted URL to lowercase, from: '/login.htm'; to: '/login.htm'
14:30:28,238 DEBUG DefaultFilterInvocationSecurityMetadataSource:204 - Candidate is: '/login.htm'; pattern is /member/**; matched=false
14:30:28,238 DEBUG DefaultFilterInvocationSecurityMetadataSource:204 - Candidate is: '/login.htm'; pattern is /login.htm; matched=true
14:30:28,238 DEBUG FilterSecurityInterceptor:192 - Secure object: FilterInvocation: URL: /login.htm; Attributes: [IS_AUTHENTICATED_ANONYMOUSLY]
14:30:28,239 DEBUG FilterSecurityInterceptor:293 - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6fa843a8: Principal: anonymousUser; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffd3270: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: DC9231E2B140D2F7D720A3B171B52CCF; Granted Authorities: ROLE_ANONYMOUS
14:30:28,239 DEBUG AffirmativeBased:53 - Voter: org.springframework.security.access.vote.RoleVoter@a0ccc96, returned: 0
14:30:28,239 DEBUG AffirmativeBased:53 - Voter: org.springframework.security.access.vote.AuthenticatedVoter@4e4b9101, returned: 1
14:30:28,239 DEBUG FilterSecurityInterceptor:214 - Authorization successful
14:30:28,240 DEBUG FilterSecurityInterceptor:224 - RunAsManager did not change Authentication object
14:30:28,240 DEBUG FilterChainProxy:340 - /login.htm reached end of additional filter chain; proceeding with original chain
14:30:28,243 DEBUG ExceptionTranslationFilter:101 - Chain processed normally
14:30:28,243 DEBUG SecurityContextPersistenceFilter:90 - SecurityContextHolder now cleared, as request processing completed
最佳答案
这里的关键是 session 丢失 登录成功后:
14:30:28,218 DEBUG HttpSessionSecurityContextRepository:133 - No HttpSession currently exists
14:30:28,218 DEBUG HttpSessionSecurityContextRepository:91 - No SecurityContext was available from the HttpSession: null. A new one will be created.
匿名用户是默认创建的,因为没有安全上下文。
您可以尝试相同但没有 https 限制的方法吗?或在 https 中完成所有操作。只是为了看看它是否有效。
关于login - Spring 安全 : Cannot access target page even after successful login,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/1812784/