Spring Security 不显示错误消息
Posted
技术标签:
【中文标题】Spring Security 不显示错误消息【英文标题】:Spring security not displaying error messages 【发布时间】:2014-01-01 11:12:39 【问题描述】:如果登录凭据无效,我将无法显示弹簧错误消息。当我尝试使用错误的用户名或密码登录时,它只是重新加载登录页面,但没有显示错误消息。 根上下文.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:cloud="http://schema.cloudfoundry.org/spring"
xmlns:jdbc="http://www.springframework.org/schema/jdbc"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/jdbc http://www.springframework.org/schema/jdbc/spring-jdbc-3.1.xsd
http://schema.cloudfoundry.org/spring http://schema.cloudfoundry.org/spring/cloudfoundry-spring-0.7.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">
<context:property-placeholder location="classpath:config.properties" />
<!-- Register the Customer.properties -->
<bean id="messageSource"
class="org.springframework.context.support.ResourceBundleMessageSource">
<property name="basenames">
<list>
<value>mymessages</value>
</list>
</property>
</bean>
<bean id="jdbcTemplate" class="org.springframework.jdbc.core.JdbcTemplate">
<property name="dataSource" ref="dataSource"></property>
</bean>
<!-- Initialization for data source -->
<bean id="dataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="$database.driver" />
<property name="url" value="$database.url" />
<property name="username" value="$database.user" />
<property name="password" value="$database.password" />
</bean>
<!-- Spring Security -->
<!-- No security for resources directory logout-url="/j_spring_security_logout" -->
<security:http pattern="/resources/**" security="none" auto-config='false'/>
<!-- REST services are secured with Basic Auth -->
<security:http auto-config='true'>
<security:intercept-url pattern="/Admin" access="ROLE_ADMIN" />
<security:access-denied-handler error-page="/accessdenied"/>
<security:intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" /><!-- allows all user to access the login page -->
<security:intercept-url pattern="/**" access="ROLE_USER, ROLE_ADMIN" /><!-- makes all pages secured requiring the roll ROLL_USER to access them -->
<security:form-login login-page='/login' default-target-url="/" always-use-default-target='true'
authentication-failure-url="/loginfailed"/><!--supplying my own login form/page-->
<security:logout logout-success-url="/" logout-url="/j_spring_security_logout"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service
data-source-ref="dataSource"
users-by-username-query="SELECT USERNAME, PASSWORD, ENABLED FROM TrainAppDB.dbo.tbl_Users WHERE USERNAME=?"
authorities-by-username-query="SELECT u.USERNAME, ur.AUTHORITY FROM TrainAppDB.dbo.tbl_Users u, TrainAppDB.dbo.tbl_UserRoles ur WHERE u.USER_ID = ur.USER_ID AND u.USERNAME=?"/>
</security:authentication-provider>
</security:authentication-manager>
<context:component-scan base-package="com.billy"/>
</beans>
我也试过了
<security:http auto-config='true'>
<security:intercept-url pattern="/Admin" access="ROLE_ADMIN" />
<security:access-denied-handler error-page="/accessdenied"/>
<security:intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/**" access="ROLE_USER, ROLE_ADMIN" />
<security:form-login login-page='/login' default-target-url="/"authentication-failure-url="/loginfailed"/>
<security:logout logout-success-url="/" logout-url="/j_spring_security_logout"/>
</security:http>
登录控制器
@Controller
public class LoginController extends BaseController
@RequestMapping(value="/", method = RequestMethod.GET)
public String printWelcome(ModelMap model, Principal principal )
String name = principal.getName();
model.addAttribute("username", name);
model.addAttribute("message", "Spring Security Custom Form example");
return "home";
@RequestMapping(value = "/login", method = RequestMethod.GET)
public String home(Model model)
return "login";
@RequestMapping(value = "/loginfailed", method = RequestMethod.GET)
public String home2(Model model)
model.addAttribute("error", "true");
return "login";
@RequestMapping(value="/logout", method = RequestMethod.GET)
public String logout(ModelMap model)
return "login";
最后是我的 login.jsp
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%>
<%@ page session="true"%>
<%@ include file="include/head.jsp"%>
<body>
<%@ include file="include/login1.jsp"%>
<c:if test="$not empty error">
<div class="errorblock">
Your login attempt was not successful, try again.<br /> Caused :
$sessionScope["SPRING_SECURITY_LAST_EXCEPTION"].message
</div>
</c:if>
</body>
</html>
【问题讨论】:
【参考方案1】:spring security 在身份验证失败的情况下发送 redirect => SPRING_SECURITY_LAST_EXCEPTION
请求属性在您的 /loginfailed
处理程序中不再可用,因为它是一个新请求。
但是 spring 将包含消息的 error
参数添加到重定向。
你也可以实现一个自定义的AuthenticatinoFailureHandler
SimpleUrlAuthenticationFailureHandler
【讨论】:
以上是关于Spring Security 不显示错误消息的主要内容,如果未能解决你的问题,请参考以下文章
Spring Security UserNotFoundException 在带有 JSP 视图模板的 Spring Boot 中不显示错误消息
Spring Security 不允许用户登录,它不显示任何错误
如何使用 Spring Security 在 login.jsp 页面显示登录错误消息?
如何在jsp中为spring security auth异常显示自定义错误消息