Spring Security 不允许用户登录,它不显示任何错误
Posted
技术标签:
【中文标题】Spring Security 不允许用户登录,它不显示任何错误【英文标题】:Spring security does not allow users to sign in, it does not show any errors 【发布时间】:2016-05-25 01:22:12 【问题描述】:一旦用户导航到登录页面,无论使用正确或错误的用户名和密码,Spring Security 都会显示以下错误消息。我查看了以下问题,但仍然有相同的错误1,2,3
Your login attempt was not successful due to
我正在使用BCryptPasswordEncoder
,对新用户密码进行编码。
登录表单
<c:if test="$not empty SPRING_SECURITY_LAST_EXCEPTION">
<font color="red"> Your login attempt was not successful due
to <br />
<br /> <c:out value="$SPRING_SECURITY_LAST_EXCEPTION.message" />.
</font>
</c:if>
<c:if test="$not empty param.error">
Invalid username and password.
</c:if>
<c:if test="$not empty error">
<div class="error">$error</div>
</c:if>
<c:if test="$not empty msg">
<div class="msg">$msg</div>
</c:if>
<form id="form-login" role="form" method="post"
action="<c:url value='/j_spring_security_check' />"
class="relative form form-default">
<input type="hidden" name="$_csrf.parameterName"
value="$_csrf.token" />
my-servlet.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:oxm="http://www.springframework.org/schema/oxm" xmlns:aop="http://www.springframework.org/schema/aop"
xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd
http://www.springframework.org/schema/oxm http://www.springframework.org/schema/oxm/spring-oxm-3.2.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-3.0.xsd">
<bean id="dataSource" class="org.apache.commons.dbcp2.BasicDataSource"
destroy-method="close">
<property name="driverClassName" value="com.mysql.jdbc.Driver" />
<property name="url" value="jdbc:mysql://localhost:8889/Project" />
<property name="username" value="test1" />
<property name="password" value="test1" />
</bean>
<bean id="sessionFactory"
class="org.springframework.orm.hibernate4.LocalSessionFactoryBean"
depends-on="dataSource">
<property name="dataSource" ref="dataSource" />
<property name="packagesToScan" value="com.projec.model" />
<property name="hibernateProperties">
<props>
<prop key="hibernate.dialect">org.hibernate.dialect.MySQLDialect</prop>
<prop key="hibernate.format_sql">true</prop>
<prop key="hibernate.use_sql_comments">true</prop>
<prop key="hibernate.show_sql">true</prop>
<prop key="hibernate.hbm2ddl.auto">update</prop>
</props>
</property>
</bean>
<bean id="transactionManager"
class="org.springframework.orm.hibernate4.HibernateTransactionManager">
<property name="sessionFactory" ref="sessionFactory"></property>
</bean>
<tx:advice id="txAdvice" transaction-manager="transactionManager">
<tx:attributes>
<tx:method name="get*" read-only="true" />
<tx:method name="find*" read-only="true" />
<tx:method name="*" />
</tx:attributes>
</tx:advice>
<aop:config>
<aop:pointcut id="userServicePointCut"
expression="execution(* com.project.service.*Service.*(..))" />
<aop:advisor advice-ref="txAdvice" pointcut-ref="userServicePointCut" />
</aop:config>
spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<beans:import resource='login-service.xml' />
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/member**" access="hasRole('ROLE_MEMBER')" />
<intercept-url pattern="/signin" access="permitAll" />
<access-denied-handler error-page="/403" />
<form-login login-page="/signin" default-target-url="/index"
authentication-failure-url="/signin?error" username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/login?logout" />
<!-- enable csrf protection -->
<csrf />
</http>
<authentication-manager>
<authentication-provider user-service-ref="myMemberDetailsService">
<password-encoder hash="bcrypt" />
</authentication-provider>
</authentication-manager>
</beans:beans>
MyMemberDetailsService
@Service
public class MyMemberDetailsService implements UserDetailsService
private MemberRepository memberRep;
@Override
public UserDetails loadUserByUsername(final String username)
throws UsernameNotFoundException
Member member = memberRep.findByUserName(username);
HashSet<String> roles = new HashSet<String>();
roles.add("ROLE_MEMBER");
List<GrantedAuthority> authorities = buildUserAuthority(roles);
return buildUserForAuthentication(member, authorities);
private User buildUserForAuthentication(Member member,
List<GrantedAuthority> authorities)
return new User(member.getUsername(), member.getPassword(),
member.isEnabled(), true, true, true, authorities);
private List<GrantedAuthority> buildUserAuthority(Set<String> userRoles)
Set<GrantedAuthority> setAuths = new HashSet<GrantedAuthority>();
for (String userRole : userRoles)
setAuths.add(new SimpleGrantedAuthority(userRole));
List<GrantedAuthority> Result = new ArrayList<GrantedAuthority>(
setAuths);
return Result;
春季版
<spring.security.version>3.2.3.RELEASE</spring.security.version>
<spring.version>3.2.8.RELEASE</spring.version>
【问题讨论】:
看起来您正在使用 UserDetailsService 的自定义实现。能否提供 MemberDetailsService 的代码? @greyfox 我刚刚包含了 UserDetailsService,谢谢 假设您使用的是 spring-security 3.2.x - 默认的 form-action url 应该是/login
(而不是 j_spring_security_check
)
@fateddy 当我使用 /login 时,它会重定向到 /login 并显示 404 错误。
您正在使用 /j_spring_security_check 发布您的登录表单。尝试使用您的自定义登录 (/sigin) 页面。
【参考方案1】:
您使用
配置了登录页面<form-login login-page="/signin" default-target-url="/index"
authentication-failure-url="/signin?error" username-parameter="username"
password-parameter="password" />
但您的表单发布操作是:<c:url value='/j_spring_security_check' />
它应该喜欢关注
<form method="POST" action="@/signin" role="form">
<label for="username">Username</label>
<input type="text" id="username" name="username"/>
<label for="password">Password</label>
<input type="password" id="password" name="password"/>
<div class="form-actions">
<button type="submit" class="btn">Log in</button>
</div>
</form>
查看Custom login using spring-security
的详细信息
【讨论】:
你添加了两次 method="post"。以上是关于Spring Security 不允许用户登录,它不显示任何错误的主要内容,如果未能解决你的问题,请参考以下文章
Spring security自定义登录页面不允许我进入[关闭]
Spring-Security权限管理框架——根据角色权限登录
Spring Security 不允许资源,登录浏览器后只显示一个 css 文件?