@ModelAttribute 不适用于 Spring Security
Posted
技术标签:
【中文标题】@ModelAttribute 不适用于 Spring Security【英文标题】:@ModelAttribute is not working with spring security 【发布时间】:2015-11-03 18:47:27 【问题描述】:我试图在登录失败时重定向登录页面上输入的用户名,但在我的控制器中,从“@ModelAttribute("user")”检索到的用户的用户名为空。当我不使用弹簧安全时,这是可行的。
我假设表单实际上首先发布到 Spring Security,然后它被重定向到控制器,因此输入的信息在 Spring Security 之间丢失。
如何在不将用户发送到链接参数的情况下检索用户?
PS:我尝试为“/loginFailed”创建一个控制器,并在登录失败时将其发送到那里,并在该控制器上使用 method = RequestMethod.POST。
登录控制器
@RequestMapping(value = "/login", method = RequestMethod.GET)
public String listPersons(@ModelAttribute("user") User u, @RequestParam(required = false) String authfailed, String logout,
String denied, Model model)
model.addAttribute("user", u);
String message = "";
if (authfailed != null)
message = "Invalid username or password, try again !";
else if (logout != null)
message = "Logged Out successfully, login again to continue !";
else if (denied != null)
message = "Access denied for this user !";
model.addAttribute("error", message);
return "login";
login.jsp
<c:url var="trylogin" value="/j_spring_security_check" ></c:url>
<c:url var="register" value="/register" ></c:url>
<div id="login-box">
<form:form action="" modelAttribute="user" method="POST">
<table>
<tr>
<td> <form:label path="username"> <spring:message text="Username: "/> </form:label> </td>
<td> <form:input path="username" /> </td>
</tr>
<tr>
<td> <form:label path="password"> <spring:message text="Password: "/> </form:label> </td>
<td> <form:password path="password" /> </td>
</tr>
<tr>
<td> <input type="submit" value="<spring:message text="Login"/>"
onclick="document.getElementById('user').setAttribute('action', '$trylogin')"/> </td>
<td> <input type="submit" value="<spring:message text="Register"/>"
onclick="document.getElementById('user').setAttribute('action', '$register')"/> </td>
</tr>
</table>
</form:form>
<c:if test="$not empty error">
<div class="error">$error</div>
</c:if>
</div>
编辑(解决方案):
谢谢@James,创建一个 failureHandler 是可行的方法,但是您的解决方案不能正常工作,因为即使我有“authentication-failure-url =”,您似乎在 failureHandler bean 中也需要“p:defaultFailureUrl” /login?authfailed"" 在表单登录中
<bean id="failureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
p:useForward="true"
p:defaultFailureUrl="/login"/>
之后我不得不为 /login 添加另一个函数,因为 p:defaultFailureUrl="/login?authFailed" 只会将它作为 /login 发送,并且浏览器上的链接保持为 "/j_spring_security_check" 我不能'不明白为什么。
@RequestMapping(value = "/login", method = RequestMethod.POST)
public String loginFail(@ModelAttribute("user") User u, @RequestParam(required = false) String authfailed, RedirectAttributes redirectAttrs)
redirectAttrs.addFlashAttribute("user", u);
redirectAttrs.addFlashAttribute("error", "Invalid username or password, try again !");
return "redirect:/login";
【问题讨论】:
【参考方案1】:您应该使用 AuthenticationFailureHandler。出于您的目的,声明 Spring SimpleUrlAuthenticationFailureHandler 类的 bean 并指定将请求转发到目标 URL 而不是配置中的默认重定向行为就足够了。这样,您的登录控制器将可以访问包括用户名在内的原始请求。
文档:http://docs.spring.io/autorepo/docs/spring-security/3.2.1.RELEASE/apidocs/org/springframework/security/web/authentication/SimpleUrlAuthenticationFailureHandler.html
来源:https://github.com/spring-projects/spring-security/blob/master/web/src/main/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationFailureHandler.java
<bean id="failureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
p:useForward="true"
/>
然后在您的表单登录规范中:
<security:form-login
...
authentication-failure-handler-ref="failureHandler"
...
/>
【讨论】:
【参考方案2】:这是错误的方法。登录页面控制器仅用于查看此页面。对于检查凭证,您需要创建服务,例如:
@Service("adminDetailsServiceImpl")
public class AdminDetailsServiceImpl implements UserDetailsService
@Autowired
private SepAdminDao adminDao;
@Override
public UserDetails loadUserByUsername(String login)
SepAdmin admin;
if (StringUtils.isBlank(login))
throw new UsernameNotFoundException("Admin not found!");
admin = adminDao.findByEmail(login);
return new org.springframework.security.core.userdetails.User(
admin.getEmail(),
admin.getPassword(),
getGrantedAuthorities(admin.getRole().getPermissionNames()));
private static List<GrantedAuthority> getGrantedAuthorities(String[] roles)
List<GrantedAuthority> authorities = new ArrayList<>();
for (String role : roles)
authorities.add(new SimpleGrantedAuthority(role));
return authorities;
用 spring 分配这个服务(例如我查看我的简单安全配置):
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<beans:bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
<beans:property name="hierarchy">
<beans:value>
<!--Admin-->
PERM_ROOT > PERM_CREATE_ADMINS
PERM_CREATE_ADMINS > PERM_DELETE_ADMINS
PERM_DELETE_ADMINS > PERM_EDIT_ADMINS
PERM_EDIT_ADMINS > PERM_VIEW_ADMINS
<!--Role-->
PERM_ROOT > PERM_CREATE_ROLES
PERM_CREATE_ROLES > PERM_DELETE_ROLES
PERM_DELETE_ROLES > PERM_EDIT_ROLES
PERM_EDIT_ROLES > PERM_VIEW_ROLES
</beans:value>
</beans:property>
</beans:bean>
<beans:bean id="expressionHandler"
class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
<beans:property name="roleHierarchy" ref="roleHierarchy"/>
</beans:bean>
<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<beans:property name="decisionVoters">
<beans:list>
<beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
<beans:property name="expressionHandler" ref="expressionHandler"/>
</beans:bean>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id="roleVoter" class="org.springframework.security.access.vote.RoleHierarchyVoter">
<beans:constructor-arg ref="roleHierarchy"/>
</beans:bean>
<beans:bean id="passwordEncoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<beans:constructor-arg value="10"/>
</beans:bean>
<http pattern="/resources/js/vendor/language" security="none"/>
<http pattern="/favicon.ico" security="none"/>
<http auto-config="true" use-expressions="true" access-denied-page="/403"
access-decision-manager-ref="accessDecisionManager">
<intercept-url pattern="/login" access="permitAll"/>
<!--Admin-->
<intercept-url pattern="/dashboard" access="hasRole('PERM_ROOT')"/>
<intercept-url pattern="/admin/create_admin" access="hasRole('PERM_CREATE_ADMINS')"/>
<intercept-url pattern="/admin/users/*/edit_admin" access="hasRole('PERM_EDIT_ADMINS')"/>
<intercept-url pattern="/admin/users/*/view_admin" access="hasRole('PERM_VIEW_ADMINS')"/>
<intercept-url pattern="/admin/users/*/delete_admin" access="hasRole('PERM_DELETE_ADMINS')"/>
<!--Role-->
<intercept-url pattern="/role/create_role" access="hasRole('PERM_CREATE_ROLES')"/>
<intercept-url pattern="/role/*/edit_role" access="hasRole('PERM_EDIT_ROLES')"/>
<intercept-url pattern="/role/*/view_role" access="hasRole('PERM_VIEW_ROLES')"/>
<intercept-url pattern="/role/*/delete_role" access="hasRole('PERM_DELETE_ROLES')"/>
<!--Route-->
<form-login username-parameter="email"
password-parameter="password"
login-page="/login" default-target-url="/" authentication-failure-url="/login?failed"/>
<logout logout-url="/logout" logout-success-url="/login"/>
</http>
<authentication-manager alias="authManager">
<authentication-provider user-service-ref="adminDetailsServiceImpl">
<password-encoder ref="passwordEncoder"/>
</authentication-provider>
</authentication-manager>
</beans:beans>
然后当用户提交登录表单时,我们重定向到 /j_spring_security_check 使用我们的服务的地方,如果我们有登录异常,我们可以在登录 jsp 页面检查它:
<!-- spring_exception -->
<c:if test="$not empty SPRING_SECURITY_LAST_EXCEPTION">
<p class="alert alert-danger alert-dismissable">
<spring:message code="Error.Msg.Login"/>
</p>
<br/>
</c:if>
如果成功,我们将重定向到默认目标 url,在我的例子中 - 到 root。
<form-login username-parameter="email"
password-parameter="password"
login-page="/login" default-target-url="/" authentication-failure-url="/login?failed"/>
这就是为什么浏览器上的链接保持为“/j_spring_security_check”的原因。
【讨论】:
以上是关于@ModelAttribute 不适用于 Spring Security的主要内容,如果未能解决你的问题,请参考以下文章
@ModelAttribute 使用 thymeleaf 返回空值
春天:@ModelAttribute VS @RequestBody
@RequestParam@RequestBody和@ModelAttribute区别