我得到了一个spring + hibernate项目,它使用spring security进行身份验证,并且所有东西都像魅力一样工作。我有以下spring-security.xml:Spring Security + Remember me支持+自动重定向
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/home" access="isAuthenticated()" />
<intercept-url pattern="/home/**" access="isAuthenticated()" />
<form-login
login-page="/"
authentication-failure-url="/?error"
username-parameter="username"
password-parameter="password"
default-target-url="/home" />
<!-- access denied page -->
<access-denied-handler error-page="/403" />
<!-- logout handling -->
<logout invalidate-session="true" logout-success-url="/?logout" delete-cookies="JSESSIONID,SPRING_SECURITY_REMEMBER_ME_COOKIE" />
<!-- enable csrf protection <csrf /> -->
<remember-me services-ref="rememberMeServices" key="clarkerpi" />
</http>
<beans:bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
<beans:property name="tokenRepository" ref="customTokenRepository" />
<beans:property name="userDetailsService" ref="userDetailsService" />
<beans:property name="key" value="clarkerpi" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="authenticationProvider" />
</authentication-manager>
<beans:bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService" />
</beans:bean>
</beans:beans>
几乎所有的东西都可以使用。我可以登录并检查“记住我”,它会创建cookie,持续存储令牌等等。如果我删除JSESSIONID cookie,我仍然可以访问受保护的资源。
但我有一个问题...
如果我访问本地主机/项目名称/和“/”是我的登录页面,是否有重定向到目标URL的任何原生方式(春季安全),其对于那些使用remember_me cookie的人来说,它是/ home吗?我可以访问任何受保护的资源,但没有问题,但我想输入localhost/projectname /并访问/ home。当然,让登录页面可用于非记住我登录。
问题2)我对spring安全+ cookie处理非常陌生,可以删除JSESSIONID和Remember_me cookies,就像我在注销时一样?要么?
在此先感谢, // fferrandini