问题:
Spring Security重定向到登录页面成功后,通过授予访问被拒绝异常
吴安和
面对奇怪的问题:应用程序在HTTP上运行良好,但一旦我们添加SLL证书,就会再次重定向到登录页面:下面是spring-security.xml的代码片段
<security:http auto-config="false" use-expressions="true" access-denied-page="/pages/denied.rs" entry-point-ref="authenticationEntryPoint" disable-url-rewriting="true">
<security:intercept-url pattern="/pages/doLogin.rs" requires-channel="any" access="hasAnyRole('ROLE_SYSTEM_ADMINISTRATOR', 'ROLE_KEY_ACCOUNT_MANAGER', 'ROLE_A', 'ROLE_B'" />
<security:intercept-url pattern="/**" requires-channel="any" access="hasAnyRole('ROLE_SYSTEM_ADMINISTRATOR', 'ROLE_KEY_ACCOUNT_MANAGER', 'ROLE_A', 'ROLE_B')"/>
<security:logout invalidate-session="true" logout-success-url="/pages/login.rs"/>
<security:custom-filter after="FILTER_SECURITY_INTERCEPTOR" ref="applicationRequestFilter" />
<security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER" />
<security:custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER"/>
<security:session-management session-authentication-strategy-ref="sas" invalid-session-url="/pages/sessiontimeout.rs"/>
</security:http>
<bean id="authenticationFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
p:authenticationManager-ref="customAuthenticationManager"
p:authenticationFailureHandler-ref="customAuthenticationFailureHandler"
p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler" />
<bean id="customAuthenticationSuccessHandler"
class="com.mycomapny.CustomAuthenticationSuccessHandler"
p:defaultTargetUrl="/pages/doLogin.rs" />
<bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
p:loginFormUrl="/pages/login.rs" />
我已经在JBOSS中独立添加了SSL证书。xml格式如下:
<subsystem xmlns="urn:jboss:domain:web:1.4" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" socket-binding="http" scheme="http" redirect-port="8443"/>
<connector name="https" protocol="HTTP/1.1" socket-binding="https" scheme="https" enable-lookups="false" secure="true">
<ssl name="selfsigned" password="password" certificate-key-file="D:\keystore.jks" protocol="TLSv1" verify-client="false"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="127.0.0.1"/>
<alias name="example.com"/>
</virtual-server>
<configuration>
<jsp-configuration development="true"/>
</configuration>
</subsystem>
当我尝试使用 HTTPS URL(如 https://mydomain.com:8443/mywebapp/login.rs ) 访问我的应用程序时,它会显示用户名密码页。
输入有效凭据后,它会转到身份验证管理器,在重定向到成功处理程序URL /doLogin.rs 之前,它会给出以下异常并再次重定向到登录页面:
15:31:57,674 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] () Checking match of request : '/pages/dologin.
rs'; against '/pages/dologin.rs'
15:31:57,675 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] () Secure object: FilterInvocat
ion: URL: /pages/doLogin.rs; Attributes: [hasAnyRole('ROLE_SYSTEM_ADMINISTRATOR', 'ROLE_KEY_ACCOUNT_MANAGER', 'ROLE_A', 'ROLE_B')]
15:31:57,675 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] () Previously Authenticated: or
g.springframework.security.authentication.AnonymousAuthenticationToken@90579aae: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: tr
ue; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2eb76: RemoteIpAddress: my machine ip address; SessionId: MdlIOjDwbSdN+e9r0-
6CEkxJ; Granted Authorities: ROLE_ANONYMOUS
15:31:57,690 DEBUG [org.springframework.security.access.vote.AffirmativeBased] () Voter: org.springframework.security.web.access
.expression.WebExpressionVoter@1d80d50, returned: -1
15:31:57,691 DEBUG [org.springframework.beans.factory.support.DefaultListableBeanFactory] () Returning cached instance of single
ton bean 'org.springframework.context.annotation.internalScheduledAnnotationProcessor'
15:31:57,692 DEBUG [org.springframework.beans.factory.support.DefaultListableBeanFactory] () Returning cached instance of single
ton bean 'org.springframework.scheduling.config.ContextLifecycleScheduledTaskRegistrar#0'
15:31:57,693 DEBUG [org.springframework.beans.factory.support.DefaultListableBeanFactory] () Returning cached instance of single
ton bean 'sessionRegistry'
15:31:57,693 DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter] () Access is denied (user is anonymous);
redirecting to authentication entry point: org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83) [spring-security-core-3.1.4.RELEASE.jar:3.1.4.RE
LEASE]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206) [spring-se
curity-core-3.1.4.RELEASE.jar:3.1.4.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115) [spring-security-web
-3.1.4.RELEASE.jar:3.1.4.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84) [spring-security-we
b-3.1.4.RELEASE.jar:3.1.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) [spring-security-web-3.1.4
.RELEASE.jar:3.1.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103) [spring-security-web-3.1.4.RELE
ASE.jar:3.1.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) [spring-secu
rity-web-3.1.4.RELEASE.jar:3.1.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:5
4) [spring-security-web-3.1.4.RELEASE.jar:3.1.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) [spring-security-web-3.1.4.
RELEASE.jar:3.1.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java
:183) [spring-security-web-3.1.4.RELEASE.jar:3.1.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) [spring-security-web-3.1.4.RELEASE.jar:
3.1.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
at org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:125) [spring-security-web-3.1.4.RELE
ASE.jar:3.1.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) [spring-securi
ty-web-3.1.4.RELEASE.jar:3.1.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
at org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:144) [spring-security-web-3.1
.4.RELEASE.jar:3.1.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) [spring-security-web-3.1.4.RELEASE.jar:3.1.4.
RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) [spring-security-web-3.1.4.RELEASE.jar:3.1.4.RELEASE]
at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69) [spring-security-config-3.1.4.RELEASE.j
ar:3.1.4.RELEASE]
at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58) [spring-security-config-3.1.4.RELEASE.jar:3.1.4.RELEASE
]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) [spring-web-3.2.3.RELEASE.jar:3.2.3.REL
EASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) [spring-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.
Final-redhat-1]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-re
dhat-1]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88) [spring-web-3.2.3.RELEASE.jar:3.2.
3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.
Final-redhat-1]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-re
dhat-1]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1
]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1
]
at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.2.0.Final-redhat-8.jar:7.2.0.Final
-redhat-8]
at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.2.0.Final-redhat-8.jar:7.2.0.Final
-redhat-8]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.2.0.Final-redhat
-8.jar:7.2.0.Final-redhat-8]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.F
inal-redhat-1]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at java.lang.Thread.run(Thread.java:619) [rt.jar:1.6.0_13]
我们使用 cookie 标头作为响应, 作为唯一的;安全
我尝试添加requires channel=“https”,但也没有成功。
共有3个答案
阎宾实
如果您在lib中添加了(log back-classic/log back-classic)jar文件,就会出现此错误。例如:ch . QoS . log back log back-classic $ { log back . version }
如果您已映射它或其依赖项 jar,请将其删除以解决“组织.springframework.security.access.Access.Access消除例外:访问被拒绝”
阴阳
问题解决了:为了避免安全缺陷,我在回复中手动设置了下面的标题...由于这一点,我得到了拒绝访问异常。
我删除了下面的代码并在apache lavel中添加,它运行良好。
String sessionid = request.getSession(true).getId();
resp.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid
+ "; Secure; HttpOnly");
resp.setHeader("Expires", "Tue, 14 May 1985 00:00:00 GMT");
resp.setHeader("Last-Modified", new Date().toString());
resp.setHeader(
"Cache-Control",
"no-store, no-cache, no-store, must-revalidate, max-age=0, post-check=0, pre-check=0");
resp.setHeader("Pragma", "no-cache");
resp.addHeader("X-FRAME-OPTIONS", "SAMEORIGIN");
resp.addHeader("strict-transport-security", "max-age=631138519");
resp.addHeader("x-xss-protection", "1; mode=block");
谢旻
如果您不想显示此登录表单,请删除以下maven依赖项:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
希望这能帮助某人。
类似资料:
-
记录器文件中的日志- org.springframework.Security.Access.event.loggerlistener-安全授权失败,原因是:org.springframework.Security.Access.accessdeniedexception:访问被拒绝;通过身份验证的主体:org.springframework.security.authentication.ano
-
我在模态窗口中有登录表单。成功登录后,用户被重定向到< code>/页面。我正试图找到一种方法,在登录后留在联系页面或另一个页面。如何做到这一点?我的代码是:
-
下面是我的app.js代码,Login.js登录页面位于http://localhost:3000/Login,所以如果用户成功登录,我如何将用户重定向到http://localhost:3000/home page,它加载了“homeComponent.jsx”。为了简洁起见,我省略了“homeComponent.jsx”的代码
-
问题内容: 我知道之前曾有人问过这个问题,但是我在这里面临一个特殊的问题。 我使用Spring Security 3.1.3。 我的Web应用程序中有3种可能的登录案例: 通过登录页面登录:确定。 通过受限页面登录:也可以。 通过非受限页面登录:不好,…每个人都可以访问“产品”页面,并且用户可以在登录后发表评论。因此,同一页面中包含一个登录表单,以允许用户进行连接。 情况3)的问题是我无法设法将用
-
我知道这个问题以前有人问过,但我现在面临一个特殊的问题。 我使用spring security 3.1.3。 我的web应用程序中有3种可能的登录情况: 通过登录页登录:确定。 通过受限页面登录:也可以。 通过非受限页面登录:不确定...每个人都可以访问“产品”页面,如果用户已经登录,他可以发表评论。因此登录表单包含在同一页面中,以便允许用户进行连接。 案例3)的问题是,我无法将用户重定向到“产品
-
我正在我是身份提供者的地方实施SSO,现在我能够成功登录到服务提供者。但它把我带到了主页。我想在发布响应时指定着陆页URL。搜索了很多,但找不到任何令人信服的东西。不太知道SAML响应的哪个元素携带着陆页URL或采用我必须指定的形式。使用java和opensaml库生成响应。