У меня есть Spring MVC web (v5.1.2), и я разрабатываю REST API с базовой аутентификацией. Теперь мне нужно несколько страниц с формами для загрузки больших файлов, и я хочу, чтобы форма входа для доступа к этим страницам.
Я использую стандартную форму входа Spring и настроил свое приложение с помощью этого файла конфигурации:
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private PasswordEncoder passwordEncoder;
@Autowired
@Qualifier("customUserDetailsService")
UserDetailsService userDetailsService;
@Autowired
DataSource dataSource;
@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
auth.authenticationProvider(authenticationProvider());
}
@Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
authenticationProvider.setUserDetailsService(userDetailsService);
authenticationProvider.setPasswordEncoder(passwordEncoder);
return authenticationProvider;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
//.antMatchers("login.html","**").permitAll()
.antMatchers("/api/**").hasRole("ADMIN")
//.antMatchers("/api/**").authenticated()
.and().httpBasic().realmName(CustomBasicAuthenticationEntryPoint.REALM).authenticationEntryPoint(getBasicAuthEntryPoint())
.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.authorizeRequests().antMatchers("login*").permitAll().anyRequest().authenticated().and()
.formLogin().defaultSuccessUrl("/home.html",true).failureUrl("/login?login_error=1")/*.loginPage("/login.html").loginProcessingUrl("/login").defaultSuccessUrl("/hello.html",true).failureForwardUrl("/login.html")
.usernameParameter("username").passwordParameter("password")*/;
}
@Bean
public CustomBasicAuthenticationEntryPoint getBasicAuthEntryPoint(){
return new CustomBasicAuthenticationEntryPoint();
}
}
Если при входе в систему происходит сбой, я вижу сообщение Bad Credentials и URL с параметром запроса, и при правильном входе в систему в консоли Chrome я вижу, что он переходит к home.html, но с перенаправлением 302 снова переходит в / вход в систему , Итак ... После успешного входа в систему он снова запрашивает логин.
Где моя ошибка ??
Спасибо!
EDIT:
Вот мои журналы отладки:
(CompositeSessionAuthenticationStrategy.java:87) - Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy@140bfb00
(AbstractAuthenticationProcessingFilter.java:312) - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@d823b1ed: Principal: org.springframework.security.core.userdetails.User@677d9ddb: Username: bar@foo.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: B2A4A0CE1260CE33BB9663E7C4F4D0A2; Granted Authorities: ROLE_ADMIN
(DefaultRedirectStrategy.java:54) - Redirecting to '/home.html'
(HstsHeaderWriter.java:129) - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@682780f8
(HttpSessionSecurityContextRepository.java:380) - SecurityContext 'org.springframework.security.core.context.SecurityContextImpl@d823b1ed: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@d823b1ed: Principal: org.springframework.security.core.userdetails.User@677d9ddb: Username: bar@foo.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: B2A4A0CE1260CE33BB9663E7C4F4D0A2; Granted Authorities: ROLE_ADMIN' stored to HttpSession: 'org.apache.catalina.session.StandardSessionFacade@2b36c88f
(SecurityContextPersistenceFilter.java:119) - SecurityContextHolder now cleared, as request processing completed
(FilterChainProxy.java:328) - /home.html at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
(FilterChainProxy.java:328) - /home.html at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
(HttpSessionSecurityContextRepository.java:210) - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@d823b1ed: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@d823b1ed: Principal: org.springframework.security.core.userdetails.User@677d9ddb: Username: bar@foo.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: B2A4A0CE1260CE33BB9663E7C4F4D0A2; Granted Authorities: ROLE_ADMIN'
(FilterChainProxy.java:328) - /home.html at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
(FilterChainProxy.java:328) - /home.html at position 4 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
(OrRequestMatcher.java:65) - Trying to match using Ant [pattern='/logout', GET]
(AntPathRequestMatcher.java:176) - Checking match of request : '/home.html'; against '/logout'
(OrRequestMatcher.java:65) - Trying to match using Ant [pattern='/logout', POST]
(AntPathRequestMatcher.java:156) - Request 'GET /home.html' doesn't match 'POST /logout'
(OrRequestMatcher.java:65) - Trying to match using Ant [pattern='/logout', PUT]
(AntPathRequestMatcher.java:156) - Request 'GET /home.html' doesn't match 'PUT /logout'
(OrRequestMatcher.java:65) - Trying to match using Ant [pattern='/logout', DELETE]
(AntPathRequestMatcher.java:156) - Request 'GET /home.html' doesn't match 'DELETE /logout'
(OrRequestMatcher.java:72) - No matches found
(FilterChainProxy.java:328) - /home.html at position 5 of 14 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
(AntPathRequestMatcher.java:156) - Request 'GET /home.html' doesn't match 'POST /login'
(FilterChainProxy.java:328) - /home.html at position 6 of 14 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter'
(FilterChainProxy.java:328) - /home.html at position 7 of 14 in additional filter chain; firing Filter: 'DefaultLogoutPageGeneratingFilter'
(AntPathRequestMatcher.java:176) - Checking match of request : '/home.html'; against '/logout'
(FilterChainProxy.java:328) - /home.html at position 8 of 14 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
(FilterChainProxy.java:328) - /home.html at position 9 of 14 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
(HttpSessionRequestCache.java:95) - saved request doesn't match
(FilterChainProxy.java:328) - /home.html at position 10 of 14 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
(FilterChainProxy.java:328) - /home.html at position 11 of 14 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
(AnonymousAuthenticationFilter.java:106) - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@d823b1ed: Principal: org.springframework.security.core.userdetails.User@677d9ddb: Username: bar@foo.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: B2A4A0CE1260CE33BB9663E7C4F4D0A2; Granted Authorities: ROLE_ADMIN'
(FilterChainProxy.java:328) - /home.html at position 12 of 14 in additional filter chain; firing Filter: 'SessionManagementFilter'
(FilterChainProxy.java:328) - /home.html at position 13 of 14 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
(FilterChainProxy.java:328) - /home.html at position 14 of 14 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
(AntPathRequestMatcher.java:176) - Checking match of request : '/home.html'; against '/api/**'
(AntPathRequestMatcher.java:176) - Checking match of request : '/home.html'; against 'login*'
(AbstractSecurityInterceptor.java:219) - Secure object: FilterInvocation: URL: /home.html; Attributes: [authenticated]
(AbstractSecurityInterceptor.java:348) - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@d823b1ed: Principal: org.springframework.security.core.userdetails.User@677d9ddb: Username: bar@foo.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: B2A4A0CE1260CE33BB9663E7C4F4D0A2; Granted Authorities: ROLE_ADMIN
(AffirmativeBased.java:66) - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@4098e795, returned: 1
(AbstractSecurityInterceptor.java:243) - Authorization successful
(AbstractSecurityInterceptor.java:256) - RunAsManager did not change Authentication object
(FilterChainProxy.java:313) - /home.html reached end of additional filter chain; proceeding with original chain
(HstsHeaderWriter.java:129) - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@682780f8
(ExceptionTranslationFilter.java:121) - Chain processed normally
(SecurityContextPersistenceFilter.java:119) - SecurityContextHolder now cleared, as request processing completed
(FilterChainProxy.java:328) - /login at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
(FilterChainProxy.java:328) - /login at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
(HttpSessionSecurityContextRepository.java:210) - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@d823b1ed: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@d823b1ed: Principal: org.springframework.security.core.userdetails.User@677d9ddb: Username: bar@foo.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: B2A4A0CE1260CE33BB9663E7C4F4D0A2; Granted Authorities: ROLE_ADMIN'
(FilterChainProxy.java:328) - /login at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
(FilterChainProxy.java:328) - /login at position 4 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
(OrRequestMatcher.java:65) - Trying to match using Ant [pattern='/logout', GET]
(AntPathRequestMatcher.java:176) - Checking match of request : '/login'; against '/logout'
(OrRequestMatcher.java:65) - Trying to match using Ant [pattern='/logout', POST]
(AntPathRequestMatcher.java:156) - Request 'GET /login' doesn't match 'POST /logout'
(OrRequestMatcher.java:65) - Trying to match using Ant [pattern='/logout', PUT]
(AntPathRequestMatcher.java:156) - Request 'GET /login' doesn't match 'PUT /logout'
(OrRequestMatcher.java:65) - Trying to match using Ant [pattern='/logout', DELETE]
(AntPathRequestMatcher.java:156) - Request 'GET /login' doesn't match 'DELETE /logout'
(OrRequestMatcher.java:72) - No matches found
(FilterChainProxy.java:328) - /login at position 5 of 14 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
(AntPathRequestMatcher.java:156) - Request 'GET /login' doesn't match 'POST /login'
(FilterChainProxy.java:328) - /login at position 6 of 14 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter'
(HstsHeaderWriter.java:129) - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@682780f8
(SecurityContextPersistenceFilter.java:119) - SecurityContextHolder now cleared, as request processing completed