爲什麼我的Spring Security不起作用？

Question

我目前正在做一個關於Spring MVC的項目，我正在嘗試整合Spring Security。然而，我沒有這樣做，我完全不知道我錯過了什麼。請查看我的代碼並提供您的建議。

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" 
    xmlns:context="http://www.springframework.org/schema/context" 
    xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:jpa="http://www.springframework.org/schema/data/jpa" 
    xmlns:security="http://www.springframework.org/schema/security" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
    http://www.springframework.org/schema/beans/spring-beans.xsd 
    http://www.springframework.org/schema/mvc 
    http://www.springframework.org/schema/mvc/spring-mvc.xsd 
    http://www.springframework.org/schema/context 
    http://www.springframework.org/schema/context/spring-context.xsd 
    http://www.springframework.org/schema/data/jpa 
    http://www.springframework.org/schema/data/jpa/spring-jpa.xsd 
    http://www.springframework.org/schema/security 
    http://www.springframework.org/schema/security/spring-security.xsd"> 

    <security:http auto-config="true" use-expressions="true"> 
     <security:intercept-url pattern="/**" 
      access="hasRole('ROLE_ADMIN')" /> 
     <security:intercept-url pattern="/suser/**" 
      access="isAuthenticated()" /> 
     <!-- <security:intercept-url pattern="/resources/**" access="isAuthenticated()" 
      /> --> 
     <!-- <security:form-login login-page="/home" default-target-url="/doctor" 
      authentication-failure-url="/authfailed" username-parameter="email" password-parameter="password" 
      /> <security:logout logout-success-url="/logoutsuccess" /> <security:csrf/> --> 
     <!-- <security:csrf disabled="true"/> --> 
    </security:http> 

    <security:authentication-manager> 
     <security:authentication-provider 
      user-service-ref="userService"> 

     </security:authentication-provider> 
    </security:authentication-manager> 

    <security:jdbc-user-service id="userService" 
     data-source-ref="dataSource" 
     users-by-username-query="select email , password, true from user where userId=?" 
     authorities-by-username-query="select userId ,'ROLE_ADMIN' from user where userId=?" /> 

</beans>  

同樣我的控制器：

@Controller 
public class MainController { 

    @RequestMapping(value = "/signup", method = RequestMethod.GET) 
    public String getSignupPage() { 
     return "signup"; 
    } 

    @RequestMapping(value = "/home", method = RequestMethod.GET) 
    public ModelAndView getLoginSignupPage() { 

     return new ModelAndView("module/loginsignup/loginsignup",StringConstants.PAGE_TITLE,StringConstants.WEB_APP_TITLE); 
    } 

    @RequestMapping(value = "/index", method = RequestMethod.GET) 
    public String getIndexPage() { 
     return "index"; 
    } 

    @RequestMapping(value = "/admin", method = RequestMethod.GET) 
    public String getAdminPage() { 
     return "admin"; 
    } 

    @RequestMapping(value = "/authfailed", method = RequestMethod.GET) 
    public String getAuthFailPage() { 
     return "autherror"; 
    } 

    @RequestMapping(value = "/logoutsuccess", method = RequestMethod.GET) 
    public String getLogoutSuccessPage() { 
     return "logoutsuccess"; 
    } 

    @RequestMapping(value = "/suser/test", method = RequestMethod.GET) 
    public String getUserPage() { 
     return "user"; 
    } 
} 

而且我的用戶實體：

@Entity 
@Table(name="user") 
public class User { 
    @Id 
    @GeneratedValue(strategy = GenerationType.IDENTITY) 
    @Column 
    private long userId; 

    @Column 
    private String firstName; 

    @Column 
    private String middleName; 

    @Column 
    private String lastName; 

    @Column 
    private String email; 

    @Column 
    private String password; 

    @Column 
    private String userStatus; 

    @Column 
    private Date createdDate; 

    @Column 
    private Date updatedDate; 

    @Column 
    private int createdBy; 

    @Column 
    private int updatedBy; 

    @ManyToOne(fetch = FetchType.EAGER) 
    @JoinColumn(name = "cityId") 
    private City city; 

    @ManyToMany(cascade = CascadeType.ALL) 
    @JoinTable(name = "user_link_document", 
       joinColumns = @JoinColumn(name = "userId"), 
       inverseJoinColumns = @JoinColumn(name = "documentId")) 
    private List<Document> documentList; 

    @OneToMany(fetch = FetchType.LAZY, mappedBy = "user") 
    private List<Review> reviewList; 

我的依賴關係的build.gradle文件：

dependencies { 
    compile("org.springframework.boot:spring-boot-starter-data-jpa") 
    compile("javax.servlet:jstl:1.2") 
    runtime("mysql:mysql-connector-java") 
    compile("org.springframework.boot:spring-boot-starter-jdbc") 
    compile ("org.springframework.boot:spring-boot-starter-web") 
    compile("org.springframework.boot:spring-boot-starter-security") 
    providedRuntime("org.springframework.boot:spring-boot-starter-tomcat") 
    providedRuntime 'org.apache.tomcat.embed:tomcat-embed-jasper' 
} 

我所有的配置爲Spring MVC是正確的。除了Spring Security以外，我沒有任何問題。任何人都可以告訴我什麼是錯的？每當我瀏覽我的應用程序時，我都沒有看到Spring Security應該提示用戶的登錄頁面。

Answer 1

你應該去掉這一

<security:form-login login-page="/home" default-target-url="/doctor" 
      authentication-failure-url="/authfailed" username-parameter="email" password-parameter="password"/> 

和寫入/home請求將重定向到登錄頁面的請求處理程序。

Answer 2

您已添加/**僅限於ROLE_ADMIN其中全部收錄URLs。您也沒有添加/home URL到permitAll。

您需要首先添加所有公共URL，這些公共URL可以在以下模式之前不登錄而被訪問。

<security:intercept-url pattern="/**" 
      access="hasRole('ROLE_ADMIN')" />