春天Servlet和春季安全過濾器鏈的URL模式

Question

我有很多的麻煩debbuging對Spring Security的j_spring_security_check和j_spring_security_logout那些404級的消息。我相信SpringServlet Url-Pattern，springSecurityFilterChain Url-Pattern和/或sitemesh之間可能存在一些衝突。

這是我的web.xml：

<?xml version="1.0" encoding="UTF-8"?> 
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" 
    version="3.1"> 

    <filter> 
     <filter-name>springSecurityFilterChain</filter-name> 
     <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
    </filter> 

    <filter-mapping> 
     <filter-name>springSecurityFilterChain</filter-name> 
     <url-pattern>/*</url-pattern> 
    </filter-mapping> 

    <context-param> 
     <param-name>contextConfigLocation</param-name> 
     <param-value>/WEB-INF/spring/applicationContext.xml</param-value> 
    </context-param> 

    <servlet> 
     <servlet-name>springServlet</servlet-name> 
     <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> 

     <init-param> 
      <param-name>contextConfigLocation</param-name> 
      <param-value>/WEB-INF/spring/spring-servlet.xml</param-value> 
     </init-param> 
     <load-on-startup>1</load-on-startup> 
    </servlet> 

    <servlet-mapping> 
     <servlet-name>springServlet</servlet-name> 
     <url-pattern>/</url-pattern> 
    </servlet-mapping> 

    <listener> 
     <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 
    </listener> 

    <filter> 
     <filter-name>sitemesh</filter-name> 
     <filter-class>org.sitemesh.config.ConfigurableSiteMeshFilter</filter-class> 
    </filter> 

    <filter-mapping> 
     <filter-name>sitemesh</filter-name> 
     <url-pattern>/*</url-pattern> 
    </filter-mapping> 

</web-app> 

和我的ApplicationContext（包括彈簧安全份）：

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc" 
    xmlns:tx="http://www.springframework.org/schema/tx" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:security="http://www.springframework.org/schema/security" 

    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd 
          http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd 
          http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-4.0.xsd 
          http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.0.xsd 
          http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd 
          http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> 

    <context:component-scan base-package="com.xpto.portal" /> 
    <tx:annotation-driven transaction-manager="txManager" /> 
    <mvc:annotation-driven /> 

    <bean id="handlerMapping" class="org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping"> 
     <property name="order" value="1" /> 
    </bean> 

    <security:http auto-config="true" use-expressions="true"> 
     <security:intercept-url pattern="/" access="hasRole('ROLE_USER')" /> 
     <security:intercept-url pattern="/logout" access="permitAll" /> 
     <security:logout logout-url="/logout"/> 
    </security:http> 

    <!-- Declare an authentication-manager to use a custom userDetailsService --> 
    <security:authentication-manager> 
     <security:authentication-provider user-service-ref="userDetailsService"> 
      <security:password-encoder ref="passwordEncoder" /> 
     </security:authentication-provider> 
    </security:authentication-manager> 

    <bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder" /> 

    <security:user-service id="userDetailsService"> 
     <security:user name="john" password="21232f297a57a5a743894a0e4a801fc3" authorities="ROLE_USER, ROLE_ADMIN" /> 
     <security:user name="jane" password="ee11cbb19052e40b07aac0ca060c23ee" authorities="ROLE_USER" /> 
    </security:user-service> 


    <bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource"> 
     <property name="basename" value="classpath:messages"> 
     </property> 
     <property name="defaultEncoding" value="UTF-8"> 
     </property> 
    </bean> 

    <bean id="localeChangeInterceptor" class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor"> 
     <property name="paramName" value="lang"> 
     </property> 
    </bean> 

    <bean id="localeResolver" class="org.springframework.web.servlet.i18n.CookieLocaleResolver"> 
     <property name="defaultLocale" value="pt"> 
     </property> 
    </bean> 
</beans> 

和鹼性網頁控制器，它返回一個視圖，的sitemesh：

@Controller 
@RequestMapping(value = "/") 
public class HomeController { 

    @RequestMapping(method=RequestMethod.GET) 
    public String index() 
    { 
     return "home/index"; 
    } 
} 

這適用於登錄。如果我訪問localhost/portal，我將被重定向到spring的默認登錄頁面，然後將該頁面重定向到「/」。問題是這樣的URL這裏：

<a href="<c:url value="/logout" />">Logout</a> 

其產生404和這個錯誤：

17：06：43657 WARN [org.springframework.web.servlet.PageNotFound]（默認任務-27）沒有映射發現在DispatcherServlet的與URI [/門戶網站/註銷] HTTP請求名爲「springServlet」

這是相同的或者我改變註銷-URL或沒有。

我懷疑過濾器和彈簧的servlet之間的一些不兼容的，但我的損失。

你能幫忙嗎？

我正在使用spring-security 4.0.1

謝謝！

Answer 1

我只需要使用表單來執行註銷。事情是這樣的：

<c:url var="logoutUrl" value="/logout"/> 
<form action="${logoutUrl}" method="post"> 
    <input type="submit" value="Log out" /> 
    <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/> 
</form> 

這是因爲春季安全的CSRF是默認啓用的，必須通過POST與CSRF令牌進行註銷。

Answer 2

更改註銷。 這樣的事情。

<a href='<c:url value="/j_spring_security_logout" />'>