Spring Security 不允许用户登录,它不显示任何错误

Posted

技术标签:

【中文标题】Spring Security 不允许用户登录,它不显示任何错误【英文标题】:Spring security does not allow users to sign in, it does not show any errors 【发布时间】:2016-05-25 01:22:12 【问题描述】:

一旦用户导航到登录页面,无论使用正确或错误的用户名和密码,Spring Security 都会显示以下错误消息。我查看了以下问题,但仍然有相同的错误1,2,3

 Your login attempt was not successful due to 

我正在使用BCryptPasswordEncoder,对新用户密码进行编码。

登录表单

<c:if test="$not empty SPRING_SECURITY_LAST_EXCEPTION">
            <font color="red"> Your login attempt was not successful due
                to <br />
            <br /> <c:out value="$SPRING_SECURITY_LAST_EXCEPTION.message" />.
            </font>
        </c:if>
                <c:if test="$not empty param.error">
                    Invalid username and password.
                </c:if>
                <c:if test="$not empty error">
                    <div class="error">$error</div>
                </c:if>
                <c:if test="$not empty msg">
                    <div class="msg">$msg</div>
                </c:if>
               <form id="form-login" role="form" method="post"
                        action="<c:url value='/j_spring_security_check' />"
                        class="relative form form-default">
                        <input type="hidden" name="$_csrf.parameterName"
                            value="$_csrf.token" />

my-servlet.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns:mvc="http://www.springframework.org/schema/mvc"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans"
    xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx"
    xmlns:oxm="http://www.springframework.org/schema/oxm" xmlns:aop="http://www.springframework.org/schema/aop"
    xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd 
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd 
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd 
http://www.springframework.org/schema/oxm http://www.springframework.org/schema/oxm/spring-oxm-3.2.xsd 
http://www.springframework.org/schema/aop 
http://www.springframework.org/schema/aop/spring-aop-3.0.xsd">

<bean id="dataSource" class="org.apache.commons.dbcp2.BasicDataSource"
        destroy-method="close">
        <property name="driverClassName" value="com.mysql.jdbc.Driver" />
        <property name="url" value="jdbc:mysql://localhost:8889/Project" />
        <property name="username" value="test1" />
        <property name="password" value="test1" />
    </bean>

    <bean id="sessionFactory"
        class="org.springframework.orm.hibernate4.LocalSessionFactoryBean"
        depends-on="dataSource">
        <property name="dataSource" ref="dataSource" />
        <property name="packagesToScan" value="com.projec.model" />
        <property name="hibernateProperties">
            <props>
                <prop key="hibernate.dialect">org.hibernate.dialect.MySQLDialect</prop>
                <prop key="hibernate.format_sql">true</prop>
                <prop key="hibernate.use_sql_comments">true</prop>
                <prop key="hibernate.show_sql">true</prop>
                <prop key="hibernate.hbm2ddl.auto">update</prop>
            </props>
        </property>
    </bean>

    <bean id="transactionManager"
        class="org.springframework.orm.hibernate4.HibernateTransactionManager">
        <property name="sessionFactory" ref="sessionFactory"></property>
    </bean>

    <tx:advice id="txAdvice" transaction-manager="transactionManager">
        <tx:attributes>
            <tx:method name="get*" read-only="true" />
            <tx:method name="find*" read-only="true" />
            <tx:method name="*" />
        </tx:attributes>
    </tx:advice>

    <aop:config>
        <aop:pointcut id="userServicePointCut"
            expression="execution(* com.project.service.*Service.*(..))" />
        <aop:advisor advice-ref="txAdvice" pointcut-ref="userServicePointCut" />
    </aop:config>

spring-security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.2.xsd">



    <beans:import resource='login-service.xml' />
    <http auto-config="true" use-expressions="true">
        <intercept-url pattern="/" access="permitAll" />
        <intercept-url pattern="/member**" access="hasRole('ROLE_MEMBER')" />
        <intercept-url pattern="/signin" access="permitAll" />


        <access-denied-handler error-page="/403" />
        <form-login login-page="/signin" default-target-url="/index"
            authentication-failure-url="/signin?error" username-parameter="username"
            password-parameter="password" />
        <logout logout-success-url="/login?logout" />
        <!-- enable csrf protection -->
        <csrf />
    </http>
    <authentication-manager>
        <authentication-provider user-service-ref="myMemberDetailsService">
            <password-encoder hash="bcrypt" />
        </authentication-provider>
    </authentication-manager>
</beans:beans>

MyMemberDetailsS​​ervice

@Service
public class MyMemberDetailsService implements UserDetailsService 

    private MemberRepository memberRep;

    @Override
    public UserDetails loadUserByUsername(final String username)
            throws UsernameNotFoundException 
        Member member = memberRep.findByUserName(username);
        HashSet<String> roles = new HashSet<String>();
        roles.add("ROLE_MEMBER");
        List<GrantedAuthority> authorities = buildUserAuthority(roles);
        return buildUserForAuthentication(member, authorities);

    

    private User buildUserForAuthentication(Member member,
            List<GrantedAuthority> authorities) 
        return new User(member.getUsername(), member.getPassword(),
                member.isEnabled(), true, true, true, authorities);
    

    private List<GrantedAuthority> buildUserAuthority(Set<String> userRoles) 

        Set<GrantedAuthority> setAuths = new HashSet<GrantedAuthority>();

        for (String userRole : userRoles) 
            setAuths.add(new SimpleGrantedAuthority(userRole));
        

        List<GrantedAuthority> Result = new ArrayList<GrantedAuthority>(
                setAuths);

        return Result;
    


春季版

    <spring.security.version>3.2.3.RELEASE</spring.security.version>
    <spring.version>3.2.8.RELEASE</spring.version>

【问题讨论】:

看起来您正在使用 UserDetailsS​​ervice 的自定义实现。能否提供 MemberDetailsS​​ervice 的代码? @greyfox 我刚刚包含了 UserDetailsS​​ervice,谢谢 假设您使用的是 spring-security 3.2.x - 默认的 form-action url 应该是 /login(而不是 j_spring_security_check @fateddy 当我使用 /login 时,它会重定向到 /login 并显示 404 错误。 您正在使用 /j_spring_security_check 发布您的登录表单。尝试使用您的自定义登录 (/sigin) 页面。 【参考方案1】:

您使用

配置了登录页面
<form-login login-page="/signin" default-target-url="/index"
 authentication-failure-url="/signin?error" username-parameter="username"
 password-parameter="password" />

但您的表单发布操作是:&lt;c:url value='/j_spring_security_check' /&gt; 它应该喜欢关注

<form method="POST" action="@/signin" role="form">
    <label for="username">Username</label>
    <input type="text" id="username" name="username"/>        
    <label for="password">Password</label>
    <input type="password" id="password" name="password"/>    
    <div class="form-actions">
        <button type="submit" class="btn">Log in</button>
    </div>
</form>

查看Custom login using spring-security的详细信息

【讨论】:

你添加了两次 method="post"。

以上是关于Spring Security 不允许用户登录,它不显示任何错误的主要内容,如果未能解决你的问题,请参考以下文章

Spring Security 多个登录用户失败

Spring security自定义登录页面不允许我进入[关闭]

Spring-Security权限管理框架——根据角色权限登录

Spring Security 不允许资源,登录浏览器后只显示一个 css 文件?

Spring Security 5 OAuth 2 社交注销

Spring security - 允许导航但保护某些页面