下面是打印日志:
DEBUG 02-16 21:15:07,519 /doLogin at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' (FilterChainProxy.java:325)
DEBUG 02-16 21:15:07,520 /doLogin at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' (FilterChainProxy.java:325)
DEBUG 02-16 21:15:07,520 HttpSession returned null object for SPRING_SECURITY_CONTEXT (HttpSessionSecurityContextRepository.java:186)
DEBUG 02-16 21:15:07,521 No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@3191ede6. A new one will be created. (HttpSessionSecurityContextRepository.java:116)
DEBUG 02-16 21:15:07,521 /doLogin at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter' (FilterChainProxy.java:325)
DEBUG 02-16 21:15:07,521 /doLogin at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter' (FilterChainProxy.java:325)
DEBUG 02-16 21:15:07,522 Trying to match using Ant [pattern='/logout', GET] (OrRequestMatcher.java:65)
DEBUG 02-16 21:15:07,523 Request 'POST /doLogin' doesn't match 'GET /logout (AntPathRequestMatcher.java:156)
DEBUG 02-16 21:15:07,525 Trying to match using Ant [pattern='/logout', POST] (OrRequestMatcher.java:65)
DEBUG 02-16 21:15:07,526 Checking match of request : '/doLogin'; against '/logout' (AntPathRequestMatcher.java:176)
DEBUG 02-16 21:15:07,527 Trying to match using Ant [pattern='/logout', PUT] (OrRequestMatcher.java:65)
DEBUG 02-16 21:15:07,528 Request 'POST /doLogin' doesn't match 'PUT /logout (AntPathRequestMatcher.java:156)
DEBUG 02-16 21:15:07,528 Trying to match using Ant [pattern='/logout', DELETE] (OrRequestMatcher.java:65)
DEBUG 02-16 21:15:07,528 Request 'POST /doLogin' doesn't match 'DELETE /logout (AntPathRequestMatcher.java:156)
DEBUG 02-16 21:15:07,528 No matches found (OrRequestMatcher.java:72)
DEBUG 02-16 21:15:07,528 /doLogin at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter' (FilterChainProxy.java:325)
DEBUG 02-16 21:15:07,528 Checking match of request : '/doLogin'; against '/login' (AntPathRequestMatcher.java:176)
DEBUG 02-16 21:15:07,529 /doLogin at position 6 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' (FilterChainProxy.java:325)
DEBUG 02-16 21:15:07,529 pathInfo: both null (property equals) (DefaultSavedRequest.java:356)
DEBUG 02-16 21:15:07,529 queryString: both null (property equals) (DefaultSavedRequest.java:356)
DEBUG 02-16 21:15:07,529 requestURI: arg1=/lims/doLogin; arg2=/lims/doLogin (property equals) (DefaultSavedRequest.java:373)
DEBUG 02-16 21:15:07,529 saved request doesn't match (HttpSessionRequestCache.java:98)
DEBUG 02-16 21:15:07,531 /doLogin at position 7 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' (FilterChainProxy.java:325)
DEBUG 02-16 21:15:07,531 /doLogin at position 8 of 12 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter' (FilterChainProxy.java:325)
DEBUG 02-16 21:15:07,531 /doLogin at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' (FilterChainProxy.java:325)
DEBUG 02-16 21:15:07,531 Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@90514580: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@43458: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 3BCF365E86B3994AA46320E9A5127BD5; Granted Authorities: ROLE_ANONYMOUS' (AnonymousAuthenticationFilter.java:100)
DEBUG 02-16 21:15:07,531 /doLogin at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter' (FilterChainProxy.java:325)
DEBUG 02-16 21:15:07,531 /doLogin at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' (FilterChainProxy.java:325)
DEBUG 02-16 21:15:07,532 /doLogin at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' (FilterChainProxy.java:325)
DEBUG 02-16 21:15:07,532 Checking match of request : '/doLogin'; against '/WEB-INF/views/' (AntPathRequestMatcher.java:176)
DEBUG 02-16 21:15:07,532 Checking match of request : '/doLogin'; against '/static/' (AntPathRequestMatcher.java:176)
DEBUG 02-16 21:15:07,532 Checking match of request : '/doLogin'; against '/login.jsp' (AntPathRequestMatcher.java:176)
DEBUG 02-16 21:15:07,533 Secure object: FilterInvocation: URL: /doLogin; Attributes: [authenticated] (AbstractSecurityInterceptor.java:219)
DEBUG 02-16 21:15:07,533 Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@90514580: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@43458: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 3BCF365E86B3994AA46320E9A5127BD5; Granted Authorities: ROLE_ANONYMOUS (AbstractSecurityInterceptor.java:348)
DEBUG 02-16 21:15:07,533 Voter: org.springframework.security.web.access.expression.WebExpressionVoter@30cad859, returned: -1 (AffirmativeBased.java:66)
DEBUG 02-16 21:15:07,535 Access is denied (user is anonymous); redirecting to authentication entry point (ExceptionTranslationFilter.java:173)
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124)
spring-scurity我用的是配置类:
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Configuration
@EnableWebSecurity
public class AppWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserDetailsService userDetailsService;
//认证相关
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());
}
//授权相关
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/WEB-INF/views/**","/static/**","/login.jsp").permitAll()
.anyRequest().authenticated();
http.formLogin().loginPage("/login.jsp") //指定自定义登录页
.usernameParameter("id") //默认参数名:username
.passwordParameter("password") //默认参数名:password
.loginProcessingUrl("/login") // 默认请求映射名称: /login
.defaultSuccessUrl("/main");
//5.授权注销功能
http.logout().logoutUrl("/logout")//默认注销映射名称:/logout
.logoutSuccessUrl("/login.jsp");
http.exceptionHandling().accessDeniedHandler(new AccessDeniedHandler() {
@Override
public void handle(HttpServletRequest request, HttpServletResponse response,
AccessDeniedException accessDeniedException) throws IOException, ServletException {
//X-Requested-With: XMLHttpRequest
String XRequestedWith = request.getHeader("X-Requested-With");
if("XMLHttpRequest".equals(XRequestedWith)) { /
response.getWriter().print("403");
}else {
request.setAttribute("message", accessDeniedException.getMessage());
request.getRequestDispatcher("/WEB-INF/views/error.jsp").forward(request, response);
}
}
});
http.rememberMe();
http.csrf().disable();
}