spring security UsernamePasswordAuthenticationFilter url匹配问题答案

【问题标题】：spring security UsernamePasswordAuthenticationFilter url match issuespring security UsernamePasswordAuthenticationFilter url匹配问题
【发布时间】：2013-03-11 14:08:43
【问题描述】：

我将 spring security 默认的 '/j_security_check' url 更改为 '/check'，然后当我登录到我的系统时，我输入 url 'http://www.example.com/users/list' 它会转到页面右侧，但是当我添加 'check ' 字符串附加到这个 url，比如 'http://www.example.com/users/list/check'，它会进入我自定义的 UsernamePasswordAuthenticationFilterCustom 过滤器，任何 url 附加“检查”都会这样做，我不知道为什么。

    <beans:beans xmlns="http://www.springframework.org/schema/security" 
xmlns:beans="http://www.springframework.org/schema/beans" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- HTTP security configurations -->
<http pattern="/favicon.ico" security="none"/>
<http pattern="/statics/**" security="none"/>
<http pattern="/forgotPasswords/**" security="none"/>
<http pattern="/messages/**" security="none"/>
<http pattern="/sessions/**" security="none"/>
<!--<http pattern="/preferences/reLogin" security="none"/>-->
<http pattern="/javascript/message/**" security="none"/>
<http pattern="/dualLogin" security="none"/>
<http pattern="/inbound" security="none"/>
<http pattern="/twilio/**" security="none"/>
<http pattern="/download/async/**" security="none"/>
<beans:bean id="usernamePasswordAuthenticationFilterCustom" class="com.everbridge.platform.security.extension.UsernamePasswordAuthenticationFilterCustom">
    <beans:property name="authenticationSuccessHandler" ref="authenticationSuccessHandler"/>
    <beans:property name="sessionAuthenticationStrategy" ref="sas" />
    <beans:property name="passwordParameter" value="password"/>
    <beans:property name="usernameParameter" value="username"/>
    <beans:property name="allowSessionCreation" value="true"/>
    <beans:property name="filterProcessesUrl" value="/check"/>
    <beans:property name="authenticationManager" ref="authenticationManagerCustom"/>
    <beans:property name="authenticationFailureHandler" ref="authenticationFailureHandler"/>
    <beans:property name="userService" ref="userService" />
    <beans:property name="roleService" ref="roleService" />
    <beans:property name="accountService" ref="accountService" />
    <beans:property name="featureService" ref="featureService" />
    <beans:property name="moduleService" ref="moduleService"/>
    <beans:property name="permissionService" ref="permissionService"/>
</beans:bean>

<http entry-point-ref="authenticationEntryPoint" auto-config="false" use-expressions="true">
    <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
    <custom-filter position="FORM_LOGIN_FILTER" ref="usernamePasswordAuthenticationFilterCustom" />
    <custom-filter ref="filterSecurityInterceptor" before="FILTER_SECURITY_INTERCEPTOR" />
    <custom-filter ref="afterLoginInterceptor" after="LAST" />
    <logout logout-url="/logout" />
    <intercept-url pattern="/login" access="permitAll" requires-channel="any"/>
    <intercept-url pattern="/switch" access="permitAll" requires-channel="any"/>
    <intercept-url pattern="/api/**" access="permitAll" requires-channel="any"/>
    <intercept-url pattern="/m/switcher" access="permitAll" requires-channel="any"/>
    <intercept-url pattern="/m" access="permitAll" requires-channel="any"/>
    <intercept-url pattern="/logout" access="permitAll" requires-channel="any"/>
    <intercept-url pattern="/check" access="permitAll" requires-channel="any"/>
    <intercept-url pattern="/registers/**" access="permitAll" requires-channel="any"/>
    <intercept-url pattern="/preferences/**" access="permitAll" requires-channel="any"/>
    <intercept-url pattern="/information/**" access="permitAll" requires-channel="any"/>
    <intercept-url pattern="/**" access="isAuthenticated()" requires-channel="any"/>

    <access-denied-handler ref="accessDeniedHandlerCustom"/>
    <session-management session-authentication-strategy-ref="sas" />
</http>

<beans:bean id="authenticationSuccessHandler" class="com.everbridge.platform.setting.handler.extension.AuthenticationSuccessHandlerCustom">
    <beans:property name="targetUrl" value="/dashboard" />

</beans:bean>

<beans:bean id="sas"
            class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
    <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
    <beans:property name="maximumSessions" value="1" />
</beans:bean>

<beans:bean id="concurrencyFilter" class="com.everbridge.platform.security.extension.CustomConcurrentSessionFilter">
    <beans:property name="sessionRegistry" ref="sessionRegistry" />
    <beans:property name="expiredUrl" value="/login" />
    <beans:property name="logoutHandlers">
        <beans:list>
            <beans:bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"></beans:bean>
            <beans:bean class="com.everbridge.platform.security.extension.CustomLogoutHandler"></beans:bean>
        </beans:list>
    </beans:property>
</beans:bean>
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />


<beans:bean id="authenticationFailureHandler" class="com.everbridge.platform.setting.handler.extension.AuthenticationFailureHandlerCustom"/>


<beans:bean id="authenticationEntryPoint"
      class="com.everbridge.platform.security.extension.AjaxAwareAuthenticationEntryPoint">
    <beans:constructor-arg value="/login"/>
</beans:bean>

<beans:bean id="filterSecurityInterceptor"
    class="com.everbridge.platform.security.extension.FilterSecurityInterceptorCustom">
    <beans:property name="authenticationManager" ref="authenticationManagerCustom" />
    <beans:property name="accessDecisionManager" ref="accessDecisionManagerCustom" />
    <beans:property name="securityMetadataSource" ref="securityMetadataSourceCustom" />
</beans:bean>

<beans:bean id="afterLoginInterceptor"
    class="com.everbridge.platform.portal.filter.AfterLoginInterceptor">
    <beans:property name="accountService" ref="accountService" />
    <beans:property name="roleService" ref="roleService" />
    <beans:property name="userService" ref="userService" />
</beans:bean>

<beans:bean id="accessDecisionManagerCustom" class="com.everbridge.platform.security.extension.AccessDecisionManagerCustom"/>

<beans:bean id="securityMetadataSourceCustom" class="com.everbridge.platform.security.extension.InvocationSecurityMetadataSourceServiceCustom" init-method="loadResources">
    <beans:property name="operationService" ref="operationService"/>
    <beans:property name="permissionService" ref="permissionService"/>
    <beans:property name="resourceService" ref="resourceService"/>
    <beans:property name="roleService" ref="roleService"/>
    <beans:property name="featureService" ref="featureService"/>
</beans:bean>

<beans:bean id="accessDeniedHandlerCustom" class="com.everbridge.platform.security.extension.AccessDeniedHandlerCustom">
    <beans:property name="errorPage" value="/error401" />
</beans:bean>

<authentication-manager alias="authenticationManagerCustom"/>

【问题讨论】：

标签： java spring security

【解决方案1】：

Tony，首先你需要定义你的用户将被验证的页面，因为 URL /j_security_check 是 Spring Security 将检查验证的 URL。

尝试将您的逻辑定义为身份验证：

<security:form-login login-page="/login"  always-use-default-target="true" login-processing-url="/check"  default-target-url="/dashboard" authentication-failure-url="/login.jsp?login_error=1" />

【讨论】：