春季安全忘記自定義登錄表單認證

Question

我跟着或多或少這說明創建自定義登錄表單： http://technology-for-human.blogspot.com/2011/01/jsf-2-with-spring-3-protection-with.html

登錄表單使用LoginBean和LoginBean使用一個的AuthenticationService：

@Service("authenticationService") 
public class AuthenticationService { 
    @Resource(name = "authenticationManager") 
    AuthenticationManager authenticationManager; 

    public boolean login(String username, String password) { 
     try { 
      Authentication authenticate = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password)); 
      if (authenticate.isAuthenticated()) { 
       SecurityContextHolder.getContext().setAuthentication(authenticate); 
       return true; 
      } 
     } catch (AuthenticationException e) { 
     } 
    return false; 
    } 
} 

通常一切都按預期工作，登錄方法爲我的用戶返回true。但是然後登錄表單再次出現，我可以看到SecurityContextHolder.getContext().getAuthentication()返回null。

Spring配置如下：

<security:http auto-config='true'> 
    <security:form-login login-page="/login.jsf" /> 
    <security:intercept-url pattern="/login.jsf" filters="none" /> 
    <security:intercept-url pattern="/**" access="ROLE_USER" /> 
    <security:logout logout-url="/logout" logout-success-url="/" /> 
</security:http> 

<security:authentication-manager alias="authenticationManager"> 
    <security:authentication-provider user-service-ref="userDetailsService" /> 
</security:authentication-manager> 

任何想法可能會是什麼原因？

Answer 1

我認爲安全上下文不會持久回到會話。你有沒有在web.xml中配置springSecurityFilterChain作爲過濾器？

<filter> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
</filter> 

<filter-mapping> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping>