upgrade to Spring-Security 4.X後的登入問題
阿新 • • 發佈:2018-12-25
升級到4.2.3後,登入出現
HTTP Status 403 - Could not verify the provided CSRF token because your session was not found
sec http裡面需要增加:
配置檔案:<sec:headers> <sec:frame-options disabled="true"/> <sec:content-type-options disabled="true"/> <sec:cache-control disabled="true"/> <sec:xss-protection disabled="true"/> </sec:headers> <sec:session-management session-authentication-strategy-ref="sas" /> <sec:csrf disabled="true" />
<!--session認證成功後的session策略 --> <bean id="sas" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy"> <property name="migrateSessionAttributes" value="true"/> <!-- <property name="retainedAttributes"> <list> <value>SPRING_SECURITY_SAVED_REQUEST</value> <value>docUser</value> </list> </property> --> </bean>
sec:form-login裡面的:
<sec:form-login login-page="/login.jsp"
username-parameter="j_username"
password-parameter="j_password"
login-processing-url="/j_security_check"
default-target-url="/index.jsp" authentication-failure-url="/login.jsp?error=true"/>
<sec:http-basic />
原來3的時候,沒
username-parameter="j_username" password-parameter="j_password"
如果不增加的話,會報
org.springframework.security.authentication.BadCredentialsException: Empty Username
完整的配置檔案:
<sec:http auto-config="false" servlet-api-provision="true" use-expressions="true" >
<sec:intercept-url pattern="/log*" access="permitAll" />
<sec:intercept-url pattern="/css/**" access="permitAll" />
<!-- 需要經過驗證後才能訪問的 -->
<!-- <sec:intercept-url pattern="/**" access="isAuthenticated()" /> -->
<sec:form-login login-page="/login.jsp"
username-parameter="j_username"
password-parameter="j_password"
login-processing-url="/j_security_check"
default-target-url="/index.jsp"authentication-failure-url="/login.jsp?error=true"/>
<sec:http-basic />
<sec:logout logout-success-url="/logout.jsp" />
<sec:remember-me />
<!-- 過濾器 -->
<sec:custom-filter ref="jeePreAuthenticatedFilter" position="PRE_AUTH_FILTER" />
<sec:headers>
<sec:frame-options disabled="true"/>
<sec:content-type-options disabled="true"/>
<sec:cache-control disabled="true"/>
<sec:xss-protection disabled="true"/>
</sec:headers>
<sec:session-management session-authentication-strategy-ref="sas" />
<sec:csrf disabled="true" />
</sec:http>
<!--session認證成功後的session策略 -->
<bean id="sas" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
<property name="migrateSessionAttributes" value="true"/>
</bean>
具體參考:
http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-xml.html#m3to4-xmlnamespace-form-login