春天Servlet和春季安全过滤器链的URL模式

Question

我有很多的麻烦debbuging对Spring Security的j_spring_security_check和j_spring_security_logout那些404级的消息。我相信SpringServlet Url-Pattern，springSecurityFilterChain Url-Pattern和/或sitemesh之间可能存在一些冲突。

这是我的web.xml：

<?xml version="1.0" encoding="UTF-8"?> 
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" 
    version="3.1"> 

    <filter> 
     <filter-name>springSecurityFilterChain</filter-name> 
     <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
    </filter> 

    <filter-mapping> 
     <filter-name>springSecurityFilterChain</filter-name> 
     <url-pattern>/*</url-pattern> 
    </filter-mapping> 

    <context-param> 
     <param-name>contextConfigLocation</param-name> 
     <param-value>/WEB-INF/spring/applicationContext.xml</param-value> 
    </context-param> 

    <servlet> 
     <servlet-name>springServlet</servlet-name> 
     <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> 

     <init-param> 
      <param-name>contextConfigLocation</param-name> 
      <param-value>/WEB-INF/spring/spring-servlet.xml</param-value> 
     </init-param> 
     <load-on-startup>1</load-on-startup> 
    </servlet> 

    <servlet-mapping> 
     <servlet-name>springServlet</servlet-name> 
     <url-pattern>/</url-pattern> 
    </servlet-mapping> 

    <listener> 
     <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 
    </listener> 

    <filter> 
     <filter-name>sitemesh</filter-name> 
     <filter-class>org.sitemesh.config.ConfigurableSiteMeshFilter</filter-class> 
    </filter> 

    <filter-mapping> 
     <filter-name>sitemesh</filter-name> 
     <url-pattern>/*</url-pattern> 
    </filter-mapping> 

</web-app> 

和我的ApplicationContext（包括弹簧安全份）：

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc" 
    xmlns:tx="http://www.springframework.org/schema/tx" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:security="http://www.springframework.org/schema/security" 

    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd 
          http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd 
          http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-4.0.xsd 
          http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.0.xsd 
          http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd 
          http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> 

    <context:component-scan base-package="com.xpto.portal" /> 
    <tx:annotation-driven transaction-manager="txManager" /> 
    <mvc:annotation-driven /> 

    <bean id="handlerMapping" class="org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping"> 
     <property name="order" value="1" /> 
    </bean> 

    <security:http auto-config="true" use-expressions="true"> 
     <security:intercept-url pattern="/" access="hasRole('ROLE_USER')" /> 
     <security:intercept-url pattern="/logout" access="permitAll" /> 
     <security:logout logout-url="/logout"/> 
    </security:http> 

    <!-- Declare an authentication-manager to use a custom userDetailsService --> 
    <security:authentication-manager> 
     <security:authentication-provider user-service-ref="userDetailsService"> 
      <security:password-encoder ref="passwordEncoder" /> 
     </security:authentication-provider> 
    </security:authentication-manager> 

    <bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder" /> 

    <security:user-service id="userDetailsService"> 
     <security:user name="john" password="21232f297a57a5a743894a0e4a801fc3" authorities="ROLE_USER, ROLE_ADMIN" /> 
     <security:user name="jane" password="ee11cbb19052e40b07aac0ca060c23ee" authorities="ROLE_USER" /> 
    </security:user-service> 


    <bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource"> 
     <property name="basename" value="classpath:messages"> 
     </property> 
     <property name="defaultEncoding" value="UTF-8"> 
     </property> 
    </bean> 

    <bean id="localeChangeInterceptor" class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor"> 
     <property name="paramName" value="lang"> 
     </property> 
    </bean> 

    <bean id="localeResolver" class="org.springframework.web.servlet.i18n.CookieLocaleResolver"> 
     <property name="defaultLocale" value="pt"> 
     </property> 
    </bean> 
</beans> 

和碱性网页控制器，它返回一个视图，的sitemesh：

@Controller 
@RequestMapping(value = "/") 
public class HomeController { 

    @RequestMapping(method=RequestMethod.GET) 
    public String index() 
    { 
     return "home/index"; 
    } 
} 

这适用于登录。如果我访问localhost/portal，我将被重定向到spring的默认登录页面，然后将该页面重定向到“/”。问题是这样的URL这里：

<a href="<c:url value="/logout" />">Logout</a> 

其产生404和这个错误：

17：06：43657 WARN [org.springframework.web.servlet.PageNotFound]（默认任务-27）没有映射发现在DispatcherServlet的与URI [/门户网站/注销] HTTP请求名为“springServlet”

这是相同的或者我改变注销-URL或没有。

我怀疑过滤器和弹簧的servlet之间的一些不兼容的，但我的损失。

你能帮忙吗？

我正在使用spring-security 4.0.1

谢谢！

Answer 1

我只需要使用表单来执行注销。事情是这样的：

<c:url var="logoutUrl" value="/logout"/> 
<form action="${logoutUrl}" method="post"> 
    <input type="submit" value="Log out" /> 
    <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/> 
</form> 

这是因为春季安全的CSRF是默认启用的，必须通过POST与CSRF令牌进行注销。

Answer 2

更改注销。 这样的事情。

<a href='<c:url value="/j_spring_security_logout" />'>