Перенаправление на страницу входа после входа в систему

Question

У меня есть веб-приложение весной, которое использует весеннюю безопасность. После успешного развертывания войдите в систему. после входа в систему он снова перенаправляется на страницу входа.

Это мой securityContext.xml

<!-- enable method-level security via annotation --> 
<sec:global-method-security secured-annotations="enabled" jsr250-annotations="disabled"/> 

<!-- secure the web layer --> 

<sec:http pattern="/login.jsp" security="none" /> 
<sec:http pattern="/js/**" security="none" /> 
<sec:http pattern="/scripts/**" security="none" /> 
<sec:http pattern="/favicon.ico" security="none" /> 
<sec:http pattern="/styles/**" security="none" /> 
<sec:http pattern="/images/**" security="none" /> 
<sec:http pattern="/qlogin.jsp" security="none" /> 
<sec:http pattern="/qloginWait/**" security="none" /> 
<sec:http pattern="/contract/ServiceContractPDFView.jsp" security="none" /> 
<sec:http pattern="/admin/unsubscribe_sbpqm_newsletter.jsp" security="none" /> 
<sec:http pattern="/admin/subscription_thankyou.jsp" security="none" /> 
<sec:http pattern="/admin/related_analysts.jsp" security="none" /> 

    <sec:http entry-point-ref="myAuthenticationEntryPoint" use-expressions="true"> 
     <sec:session-management session-fixation-protection="newSession"> 
     </sec:session-management> 
     <sec:csrf disabled="true"/> 
     <sec:custom-filter position="FORM_LOGIN_FILTER" ref="customizedFormLoginFilter"/> 
     <sec:custom-filter after="FORM_LOGIN_FILTER" ref="rememberMeProcessingFilter"/> 
     <sec:custom-filter after="REMEMBER_ME_FILTER" ref="logoutFilter"/> 
     <sec:intercept-url pattern="/**" access="hasRole('ROLE_USER')" /> 
     <sec:anonymous username="anonymousUser" granted-authority="ROLE_ANONYMOUS"/> 
     <!-- <sec:custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="singleSignOnFilter"/> --> 
</sec:http> 

<!--name of my authenticationManager is authenticationManager--> 
<sec:authentication-manager alias="authenticationManager"> 
    <sec:authentication-provider user-service-ref="myUserDetailsService" /> 
</sec:authentication-manager> 

<bean id="customizedFormLoginFilter" class="com.prop.test.security.CustomAuthenticationProcessingFilter" > 
    <!--Here it is the custom authenticationManager, login magic goes here --> 
    <property name="authenticationManager" ref="myAuthenticationManager"/> 
    <property name="rememberMeServices" ref="rememberMeServices" /> 
    <property name="allowSessionCreation" value="true" /> 
    <property name="authenticationFailureHandler" ref="failureHandler"/> 
    <property name="authenticationSuccessHandler" ref="successHandler"/> 
</bean> 

<bean id="myAuthenticationManager" class="com.prop.test.security.CustomAuthenticationManager" /> 

<bean id="loggerListener" class="org.springframework.security.access.event.LoggerListener"/> 

<!--My authentication entry point, can be replaced easily if we are doing custom commence of invalid auths.--> 
<bean id="myAuthenticationEntryPoint" 
class="com.prop.test.security.CustomAuthenticationEntryPoint" > 
    <constructor-arg value="/j_spring_security_check"/> 
</bean> 

<bean id="successHandler" class="com.prop.test.security.CustomSavedRequestAwareAuthenticationSuccessHandler"> 
    <property name="defaultTargetUrl" value="/indexCustomer.jsp"/> 
</bean> 

<bean id="failureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"> 
    <property name="defaultFailureUrl" value="/login.jsp?login_error=1"/> 
</bean> 
<!-- Override RememberMeProcessingFilter to allow application of other business logic (update login count when user returns to the site --> 

<bean id="rememberMeProcessingFilter" class="com.prop.test.security.CustomRememberMeProcessingFilter"> 
    <constructor-arg ref="authenticationManager"/> 
    <constructor-arg ref="rememberMeServices"/> 
</bean> 

<bean id="signleSignOnService" class="com.prop.sage.sso.dynamo.SsoDbStorage"> 
</bean> 
<bean id="singleSignOnFilter" 
     class="com.prop.test.spring.SingleSignOnFilter"> 
    <property name="signleSignOnService" ref="signleSignOnService"/> 
    <!--<property name="authenticationProviderFacade" ref="authenticationProviderFacade"/>--> 
    <property name="userService" ref="propUserServiceImpl"/> 
    <property name="ssoUserUrl"> 
     <value>/sso</value> 
    </property> 
    <!-- Code Review Starts --> 
    <property name="ssoTargetUrl"> 
     <value>/search/ServiceContractSearch.do</value> 
    </property> 
    <!-- Code Review Ends --> 
    <property name="ssoFailureUrl"> 
     <value>/login.jsp</value> 
    </property> 
    <property name="order" value="123456"/> 
</bean> 


<!-- Remember me Authentication Defines which remember me implementation to use - in this case using a database table to log 'remembered' tokens --> 

<bean id="myUserDetailsService" class="com.prop.test.security.CustomUserDetailsService" > </bean> 

<bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices"> 
    <constructor-arg value="springRocks"/> 
    <constructor-arg ref="myUserDetailsService"/> 
    <constructor-arg ref="jdbcTokenRepository"/> 
</bean> 


<!-- Uses a database table to maintain a set of persistent login data --> 

<bean id="jdbcTokenRepository" class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl"> 
    <property name="createTableOnStartup" value="false" /> 
    <property name="dataSource" ref="dataSource" /> 
</bean> 

<bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider"> 
    <constructor-arg value="springRocks"/> 
</bean> 

<bean id="securityContextLogoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" > 
    <property name="invalidateHttpSession" value="true" /> 
</bean> 

<bean id="mySecurityContextHandler" class="com.prop.test.security.CustomSecurityContextLogoutHandler"/> 

<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter"> 
    <constructor-arg value="/login.jsp" /> 
    <constructor-arg> 
     <list> 
      <ref bean="mySecurityContextHandler" /> 
      <ref bean="rememberMeServices" /> 
      <ref bean="securityContextLogoutHandler" /> 
     </list> 
    </constructor-arg> 
</bean> 

<bean id="authenticationLoggerListener" class="org.springframework.security.access.event.LoggerListener"/> 

<bean id="_sessionFixationProtectionFilter" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy"> 
    <property name="migrateSessionAttributes" value="true" /> 
</bean> 

Журналы в файле регистратора -

org.springframework.security.access.event.LoggerListener - разрешение безопасности не удалось из-за: орг. springframework.security.access.AccessDeniedException: доступ запрещен; аутентифицированный директор: org.springframework.security.authentication.AnonymousAuthenticationToken@90579aae: Principal: anonymousUser; Учетные данные: [ЗАЩИТА]; Authenticated: true; Подробности: org.springframework.security.web.authentication.WebAuthenticationDetails@2eb76: RemoteIpAddress: 127.0.0.1; SessionId: 6C81F0D37667C08742208FC0B8BA3E86; Предоставленные полномочия: ROLE_ANONYMOUS; защищенный объект: FilterInvocation: URL:/j_spring_security_check; Конфигурация атрибутов: [hasRole ('ROLE_USER')]

Answer 1

Согласно вашей конфигурации, только ROLE_USER имеет доступ ко всем страницам/**

И вы пытались войти в AnonymousUser которого предоставляется власть ROLE_ANONYMOUS

Следовательно, вы не можете идти вперед с anonymousUser, и доступ запрещен. не Так что, если вы хотите, вы можете разрешить доступ к AnonymousUser в доступа = «hasAnyRole (ROLE_USER, ROLE_ANONYMOUS)»

<sec:intercept-url pattern="/**" access="hasRole('ROLE_USER')" /> 
     <sec:anonymous username="anonymousUser" granted-authority="ROLE_ANONYMOUS"/>