5
我正在使用Spring MVC和Spring Security。我的重定向將https轉換爲http,直到找到這篇文章。 Spring MVC "redirect:" prefix always redirects to http -- how do I make it stay on https?。我還必須在我的AjaxUrlBasedViewResolver中將redirectHttp10Compatible屬性設置爲false。登錄後春安全切換到http。我如何保持https?
問題是https登錄後仍然切換到http。一旦我登錄,我可以將我的應用程序設置回地址欄中的https,並堅持下去。另外,我正在爲大多數用戶使用IP身份驗證,在這種情況下,https會保持上述解決方案。
我想添加redirectHtp10Compatible到login_security_check或類似的東西,但我卡住了。在這裏我的security-config.xml。
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<global-method-security pre-post-annotations="enabled" />
<http auto-config='true' access-denied-page="/login">
<intercept-url pattern="/static/styles/**" filters="none" />
<intercept-url pattern="/static/scripts/**" filters="none" />
<intercept-url pattern="/login/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/error/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/api/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/ajaxTimeOut" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/checkSystem" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/adminUser/**" access="ROLE_SSADMIN" />
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page="/ajaxTimeOut" login-processing-url="/login_security_check" authentication-failure-url="/login?login_error=t" default-target-url="/" always-use-default-target="true" />
<logout logout-url="/logout" logout-success-url="/"/>
<custom-filter position="PRE_AUTH_FILTER" ref="ipPreAuthFilter" />
</http>
<beans:bean id="ipAuthDetailsSource" class="com.mydomain.security.IPBasedPreAuthenticatedDetailsSource" />
<beans:bean id="ipPreAuthFilter" class="com.mydomain.security.IPPreAuthenticationFilter">
<beans:property name="authenticationManager" ref="preAuthManager" />
<beans:property name="authenticationDetailsSource" ref="ipAuthDetailsSource" />
</beans:bean>
<beans:bean id="preAuthManager" class="org.springframework.security.authentication.ProviderManager">
<beans:property name="providers">
<beans:list>
<beans:ref local="preAuthProvider"/>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id="preAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<beans:property name="preAuthenticatedUserDetailsService" ref="preAuthUserService" />
</beans:bean>
<beans:bean id="preAuthUserService" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService" />
<authentication-manager>
<authentication-provider user-service-ref="userService">
<password-encoder ref="passwordEncoder" >
<salt-source user-property="salt" />
</password-encoder>
</authentication-provider>
</authentication-manager>
<beans:bean id="userService" class="com.mydomain.security.UserServiceImpl" />
<beans:bean id="passwordEncoder" class="com.mydomain.security.PasswordEncoder">
<beans:constructor-arg value="256" />
</beans:bean>
感謝。
請包括所有相關的春季安全配置,讓我們知道你使用的是什麼版本的Spring Security。 –
@Marc一個問題:如何調用登錄頁面:直接由用戶(他輸入http(s)://.../login)?或者通過攔截對prtected url的請求(用戶請求http(s)://.../ adminUser/,,,),第二個問題:用戶是通過http還是https執行此操作? – Ralph
如果用戶未經IP認證,他們將被重定向到登錄頁面。如果他們被IP認證,他們會去請求的頁面或主頁。用戶可以使用http或https,我需要應用程序保留在他們訪問該站點的任何協議上。 – Marc