81,094
社区成员
发帖
与我相关
我的任务
分享使用spring security 进行安全机制验证
//这是application.xml文件
<?xml version="1.0" encoding="UTF-8"?>
<beans
xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:http pattern="/login.jsp*" security="none"/>
<security:http auto-config="true">
<!-- login-page指定登录页面 -->
<security:form-login login-page="/login.jsp"/>
<security:intercept-url pattern="/**" access="ROLE_USER"/>
</security:http>
<!-- 配置认证管理器 -->
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="user" password="user" authorities="ROLE_USER"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
直接在地址栏里输入http://localhost:8080/springsecurity/index.jsp,能够跳转到登陆页面login.jsp,但是为什么会报错呢?错误信息
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:71) ~[spring-security-core-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:203) ~[spring-security-core-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:114) ~[spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83) ~[spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:324) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:95) ~[spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:324) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:324) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:79) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:324) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:324) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:324) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:119) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:324) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:324) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:324) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:324) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:165) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) [spring-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) [spring-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) [catalina.jar:7.0.11]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) [catalina.jar:7.0.11]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240) [catalina.jar:7.0.11]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164) [catalina.jar:7.0.11]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:498) [catalina.jar:7.0.11]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164) [catalina.jar:7.0.11]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100) [catalina.jar:7.0.11]
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562) [catalina.jar:7.0.11]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) [catalina.jar:7.0.11]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:394) [catalina.jar:7.0.11]
at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:284) [tomcat-coyote.jar:7.0.11]
at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:322) [tomcat-coyote.jar:7.0.11]
at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:1714) [tomcat-coyote.jar:7.0.11]
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [na:1.6.0_10-rc2]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [na:1.6.0_10-rc2]
at java.lang.Thread.run(Thread.java:619) [na:1.6.0_10-rc2]
17:22:30.093 ["http-apr-8080"-exec-10] DEBUG o.s.s.w.s.HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[http://localhost:8080/springsecurity/index.jsp]
17:22:30.093 ["http-apr-8080"-exec-10] DEBUG o.s.s.w.a.ExceptionTranslationFilter - Calling Authentication entry point.
17:22:30.093 ["http-apr-8080"-exec-10] DEBUG o.s.s.web.DefaultRedirectStrategy - Redirecting to 'http://localhost:8080/springsecurity/login.jsp'
17:22:30.093 ["http-apr-8080"-exec-10] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
17:22:30.093 ["http-apr-8080"-exec-10] DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
17:22:30.110 ["http-apr-8080"-exec-1] DEBUG o.s.s.web.util.AntPathRequestMatcher - Checking match of request : '/login.jsp'; against '/login.jsp*'
17:22:30.110 ["http-apr-8080"-exec-1] DEBUG o.s.security.web.FilterChainProxy - /login.jsp has an empty filter list
<?xml version="1.0" encoding="UTF-8"?>
<beans
xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:http pattern="/login.jsp*" security="none"/>
<security:http auto-config="true">
<!-- login-page指定登录页面 -->
<security:form-login login-page="/login.jsp"/>
<security:intercept-url pattern="/**" access="ROLE_USER"/>
</security:http>
<!-- 配置认证管理器 -->
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="user" password="user" authorities="ROLE_USER"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
直接在地址栏里输入http://localhost:8080/springsecurity/index.jsp,能够跳转到登陆页面login.jsp,但是为什么会报错呢?错误信息
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:71) ~[spring-security-core-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:203) ~[spring-security-core-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:114) ~[spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83) ~[spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:324) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:95) ~[spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:324) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:324) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:79) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:324) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:324) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:324) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:119) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:324) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:324) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:324) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:324) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:165) [spring-security-web-3.1.0.RC1.jar:3.1.0.RC1]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) [spring-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) [spring-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) [catalina.jar:7.0.11]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) [catalina.jar:7.0.11]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240) [catalina.jar:7.0.11]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164) [catalina.jar:7.0.11]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:498) [catalina.jar:7.0.11]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164) [catalina.jar:7.0.11]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100) [catalina.jar:7.0.11]
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562) [catalina.jar:7.0.11]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) [catalina.jar:7.0.11]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:394) [catalina.jar:7.0.11]
at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:284) [tomcat-coyote.jar:7.0.11]
at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:322) [tomcat-coyote.jar:7.0.11]
at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:1714) [tomcat-coyote.jar:7.0.11]
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [na:1.6.0_10-rc2]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [na:1.6.0_10-rc2]
at java.lang.Thread.run(Thread.java:619) [na:1.6.0_10-rc2]
17:22:30.093 ["http-apr-8080"-exec-10] DEBUG o.s.s.w.s.HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[http://localhost:8080/springsecurity/index.jsp]
17:22:30.093 ["http-apr-8080"-exec-10] DEBUG o.s.s.w.a.ExceptionTranslationFilter - Calling Authentication entry point.
17:22:30.093 ["http-apr-8080"-exec-10] DEBUG o.s.s.web.DefaultRedirectStrategy - Redirecting to 'http://localhost:8080/springsecurity/login.jsp'
17:22:30.093 ["http-apr-8080"-exec-10] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
17:22:30.093 ["http-apr-8080"-exec-10] DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
17:22:30.110 ["http-apr-8080"-exec-1] DEBUG o.s.s.web.util.AntPathRequestMatcher - Checking match of request : '/login.jsp'; against '/login.jsp*'
17:22:30.110 ["http-apr-8080"-exec-1] DEBUG o.s.security.web.FilterChainProxy - /login.jsp has an empty filter list
...全文
请发表友善的回复…
发表回复
小丑哥_V5 2013-10-13
- 打赏
- 举报
可以到我的博客参考下那个文章,里面有附加项目
尘缘udbwcso 2013-10-13
- 打赏
- 举报
Access is denied
没有权限访问index.jsp
JoesonChan 2013-10-13
- 打赏
- 举报
你在配置里面已经设置了
<security:intercept-url pattern="/**" access="ROLE_USER"/>
这说明对所有的/**目录下的访问,都需要ROLE_USER权限
当访问/index.jsp,显然权限不足,所以抛出错误,
又由于你当前user是ANONYMOUS,所以会跳到登录页面
