IE6 登陆 spring security 权限 系统不跳转,其它浏览器没问题啊!救命啊

时间:2020-12-14 17:11:14
[code=java]2013-04-16 18:11:53 [http-bio-8080-exec-103:553093] - [DEBUG] Invalidating session with Id '746631BC17584A90CFEFE904CD75F3EF' and migrating attributes.
2013-04-16 18:11:53 [http-bio-8080-exec-103:553093] - [DEBUG] Publishing event: org.springframework.security.web.session.HttpSessionDestroyedEvent[source=org.apache.catalina.session.StandardSessionFacade@5c0bd7]
2013-04-16 18:11:53 [http-bio-8080-exec-103:553093] - [DEBUG] Publishing event: org.springframework.security.web.session.HttpSessionCreatedEvent[source=org.apache.catalina.session.StandardSessionFacade@1f0d425]
2013-04-16 18:11:53 [http-bio-8080-exec-103:553093] - [DEBUG] Started new session: BBA888FA500246B1B4541E15D381D29B
2013-04-16 18:11:53 [http-bio-8080-exec-103:553093] - [DEBUG] Registering session BBA888FA500246B1B4541E15D381D29B, for principal org.casic.javaframework.core.web.console.security.user.UserDetailsBean@0: Username: 管理员; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities
2013-04-16 18:11:56 [http-bio-8080-exec-103:555890] - [DEBUG] Opening Hibernate Session
Hibernate: 
    select
        userloginm0_.userId as userId31_,
        userloginm0_.lastLoginDate as lastLogi2_31_,
        userloginm0_.lastLoginIP as lastLogi3_31_,
        userloginm0_.loginDate as loginDate31_,
        userloginm0_.loginIP as loginIP31_,
        userloginm0_.maxFailedLogin as maxFaile6_31_,
        userloginm0_.pswd1 as pswd7_31_,
        userloginm0_.pswd2 as pswd8_31_,
        userloginm0_.pswd3 as pswd9_31_,
        userloginm0_.pswdExpiredDate as pswdExp10_31_,
        userloginm0_.pswdModiTime as pswdMod11_31_ 
    from
        T_SYS_USERLOGIN userloginm0_ 
    where
        userloginm0_.userId=?
2013-04-16 18:11:56 [http-bio-8080-exec-103:555906] - [DEBUG] Eagerly flushing Hibernate session
2013-04-16 18:11:56 [http-bio-8080-exec-103:555906] - [DEBUG] Closing Hibernate Session
2013-04-16 18:11:56 [http-bio-8080-exec-103:555906] - [DEBUG] Opening Hibernate Session
2013-04-16 18:11:56 [http-bio-8080-exec-103:555906] - [DEBUG] Eagerly flushing Hibernate session
Hibernate: 
    update
        T_SYS_USERLOGIN 
    set
        lastLoginDate=?,
        lastLoginIP=?,
        loginDate=?,
        loginIP=?,
        maxFailedLogin=?,
        pswd1=?,
        pswd2=?,
        pswd3=?,
        pswdExpiredDate=?,
        pswdModiTime=? 
    where
        userId=?
2013-04-16 18:11:56 [http-bio-8080-exec-103:555906] - [DEBUG] Closing Hibernate Session
2013-04-16 18:11:57 [http-bio-8080-exec-103:557453] - [DEBUG] Publishing event: org.springframework.security.web.session.HttpSessionDestroyedEvent[source=org.apache.catalina.session.StandardSessionFacade@1639d1]
2013-04-16 18:11:57 [http-bio-8080-exec-103:557453] - [DEBUG] Removing session DF8BACBDCB2B67ECB245A68FFFD2880F from principal's set of registered sessions
2013-04-16 18:11:57 [http-bio-8080-exec-103:557453] - [DEBUG] Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fffffb0b: Principal: org.casic.javaframework.core.web.console.security.user.UserDetailsBean@0: Username: 管理员; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Password: [PROTECTED]; Authenticated: true; Details: null; Not granted any authorities
2013-04-16 18:11:58 [http-bio-8080-exec-103:557890] - [DEBUG] Using default Url: /index.action
2013-04-16 18:11:58 [http-bio-8080-exec-103:557890] - [DEBUG] Redirecting to '/bpm/index.action'
2013-04-16 18:11:58 [http-bio-8080-exec-103:557890] - [DEBUG] SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@fffffb0b: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fffffb0b: Principal: org.casic.javaframework.core.web.console.security.user.UserDetailsBean@0: Username: 管理员; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Password: [PROTECTED]; Authenticated: true; Details: null; Not granted any authorities'
2013-04-16 18:11:58 [http-bio-8080-exec-103:557890] - [DEBUG] SecurityContextHolder now cleared, as request processing completed
2013-04-16 18:11:58 [http-bio-8080-exec-103:557890] - [DEBUG] Cleared thread-bound request context: org.apache.catalina.connector.RequestFacade@134b520
--ie6 请求登陆到这里就完了

3 个解决方案

#1

下面是我的配置

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans 
     http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security 
                        http://www.springframework.org/schema/security/spring-security-3.0.xsd">

<http lowercase-comparisons="false" path-type="ant" access-denied-page="/nopop.jsp">
<!-- 当访问被拒绝时,会转到nopop.jsp -->
<intercept-url pattern="/login.jsp" filters="none" />
<intercept-url pattern="/nopop.jsp" filters="none" />
<intercept-url pattern="/uncaughtException.jsp" filters="none" />
<intercept-url pattern="/randomImage.jsp" filters="none" />
<intercept-url pattern="/js/**" filters="none" />
<intercept-url pattern="/common/**" filters="none" />
<intercept-url pattern="/layout/**" filters="none" />
<intercept-url pattern="/web/**" filters="none" />
<intercept-url pattern="/style/**" filters="none" />

<form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=true"
default-target-url="/index.action" always-use-default-target="true" />
<http-basic />


<!-- 自定义登陆认证 -->
<custom-filter before="FORM_LOGIN_FILTER" ref="usernamePasswordAuthenticationFilter" />
<!-- 默认的认证-->
<custom-filter after="FILTER_SECURITY_INTERCEPTOR" ref="filterSecurity" />
<!-- 自定义退出认证 -->
<custom-filter position="LOGOUT_FILTER" ref="logoutFilter" />

<session-management session-fixation-protection="none" invalid-session-url="/j_spring_security_logout">
<concurrency-control session-registry-ref="sessionRegistry" expired-url="/login.jsp?error=repeat" /><!-- 重复登陆返回页面 -->
</session-management>
</http>

<!-- 注入自定义登陆认证usernamePasswordAuthenticationFilter 用以控制同一账户同时登陆个数 -->
<beans:bean id="concurrentSessionControlStrategy"
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="maximumSessions" value="2" />
</beans:bean>

<!-- 一个自定义的filter,必须包含authenticationManager,accessDecisionManager,securityMetadataSource三个属性,
我们的所有控制将在这三个类中实现,解释详见具体配置 
<beans:bean id="filterSecurity" class="com.ckm.console.security.auth.FilterSecurityInterceptor">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="securityMetadataSource" ref="securityMetadataSource" />
</beans:bean>
-->

<!-- 认证管理器,实现用户认证的入口,主要实现UserDetailsService接口即可 -->
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailService">
<!--   如果用户的密码采用加密的话,可以加点“盐”
<password-encoder hash="md5" />
-->
</authentication-provider>
</authentication-manager>


<!-- 访问决策器,决定某个用户具有的角色,是否有足够的权限去访问某个资源 
<beans:bean id="accessDecisionManager" class="com.ckm.console.security.auth.LocalAccessDecisionManager" />
-->

<!-- 资源源数据定义,即定义某一资源可以被哪些角色访问
<beans:bean id="securityMetadataSource" class="com.ckm.console.security.auth.InvocationSecurityMetadataSource" />
-->


<beans:bean id="authenticationProcessingFilterEntryPoint"
class="org.springframework.security.web.authentication.AuthenticationProcessingFilterEntryPoint">
<beans:property name="loginFormUrl" value="/authForbiden.jsp"></beans:property>
<beans:property name="forceHttps" value="false" />
</beans:bean>

<!-- 自定义登陆认证服务,保存用户登陆信于session中 -->
<beans:bean id="usernamePasswordAuthenticationFilter"
class="org.casic.javaframework.core.web.console.security.auth.LocalUsernamePasswordAuthenticationFilter">
<beans:property name="sessionAuthenticationStrategy" ref="concurrentSessionControlStrategy" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="filterProcessesUrl" value="/j_spring_security_check" />
<beans:property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
<beans:property name="authenticationFailureHandler" ref="authenticationFailureHandler" />
<!-- 打开密码的MD5加密模式 -->
<beans:property name="passwordEncoderMd5" value="false" />
<!-- 打开验证码校验 -->
<beans:property name="validateCode" value="false" />
</beans:bean>

<!--  
<beans:bean id="authenticationSuccessHandler"
class="com.ckm.console.security.auth.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/index.action"></beans:property>
</beans:bean>
-->
<beans:bean id="authenticationFailureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/login.jsp"></beans:property>
</beans:bean>

<!-- 自定义退出服务 -->
<beans:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<beans:constructor-arg value="/login.jsp" />
<beans:constructor-arg>
<beans:list>
<beans:ref bean="customSessionLogoutHandler" />
</beans:list>
</beans:constructor-arg>
<beans:property name="filterProcessesUrl" value="/j_spring_security_logout" />
</beans:bean>
<!-- 
<beans:bean id="customSessionLogoutHandler" class="com.ckm.console.security.logout.SessionLogoutHandler">
<beans:property name="sessionRegistry">
<beans:ref local="sessionRegistry" />
</beans:property>
</beans:bean>
-->
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />

</beans:beans>
[/code]

#2

我也遇到这个问题,没人来为我们解答一下吗?

#3

在登陆事件里加上return false

#1

下面是我的配置

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans 
     http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security 
                        http://www.springframework.org/schema/security/spring-security-3.0.xsd">

<http lowercase-comparisons="false" path-type="ant" access-denied-page="/nopop.jsp">
<!-- 当访问被拒绝时,会转到nopop.jsp -->
<intercept-url pattern="/login.jsp" filters="none" />
<intercept-url pattern="/nopop.jsp" filters="none" />
<intercept-url pattern="/uncaughtException.jsp" filters="none" />
<intercept-url pattern="/randomImage.jsp" filters="none" />
<intercept-url pattern="/js/**" filters="none" />
<intercept-url pattern="/common/**" filters="none" />
<intercept-url pattern="/layout/**" filters="none" />
<intercept-url pattern="/web/**" filters="none" />
<intercept-url pattern="/style/**" filters="none" />

<form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=true"
default-target-url="/index.action" always-use-default-target="true" />
<http-basic />


<!-- 自定义登陆认证 -->
<custom-filter before="FORM_LOGIN_FILTER" ref="usernamePasswordAuthenticationFilter" />
<!-- 默认的认证-->
<custom-filter after="FILTER_SECURITY_INTERCEPTOR" ref="filterSecurity" />
<!-- 自定义退出认证 -->
<custom-filter position="LOGOUT_FILTER" ref="logoutFilter" />

<session-management session-fixation-protection="none" invalid-session-url="/j_spring_security_logout">
<concurrency-control session-registry-ref="sessionRegistry" expired-url="/login.jsp?error=repeat" /><!-- 重复登陆返回页面 -->
</session-management>
</http>

<!-- 注入自定义登陆认证usernamePasswordAuthenticationFilter 用以控制同一账户同时登陆个数 -->
<beans:bean id="concurrentSessionControlStrategy"
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="maximumSessions" value="2" />
</beans:bean>

<!-- 一个自定义的filter,必须包含authenticationManager,accessDecisionManager,securityMetadataSource三个属性,
我们的所有控制将在这三个类中实现,解释详见具体配置 
<beans:bean id="filterSecurity" class="com.ckm.console.security.auth.FilterSecurityInterceptor">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="securityMetadataSource" ref="securityMetadataSource" />
</beans:bean>
-->

<!-- 认证管理器,实现用户认证的入口,主要实现UserDetailsService接口即可 -->
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailService">
<!--   如果用户的密码采用加密的话,可以加点“盐”
<password-encoder hash="md5" />
-->
</authentication-provider>
</authentication-manager>


<!-- 访问决策器,决定某个用户具有的角色,是否有足够的权限去访问某个资源 
<beans:bean id="accessDecisionManager" class="com.ckm.console.security.auth.LocalAccessDecisionManager" />
-->

<!-- 资源源数据定义,即定义某一资源可以被哪些角色访问
<beans:bean id="securityMetadataSource" class="com.ckm.console.security.auth.InvocationSecurityMetadataSource" />
-->


<beans:bean id="authenticationProcessingFilterEntryPoint"
class="org.springframework.security.web.authentication.AuthenticationProcessingFilterEntryPoint">
<beans:property name="loginFormUrl" value="/authForbiden.jsp"></beans:property>
<beans:property name="forceHttps" value="false" />
</beans:bean>

<!-- 自定义登陆认证服务,保存用户登陆信于session中 -->
<beans:bean id="usernamePasswordAuthenticationFilter"
class="org.casic.javaframework.core.web.console.security.auth.LocalUsernamePasswordAuthenticationFilter">
<beans:property name="sessionAuthenticationStrategy" ref="concurrentSessionControlStrategy" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="filterProcessesUrl" value="/j_spring_security_check" />
<beans:property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
<beans:property name="authenticationFailureHandler" ref="authenticationFailureHandler" />
<!-- 打开密码的MD5加密模式 -->
<beans:property name="passwordEncoderMd5" value="false" />
<!-- 打开验证码校验 -->
<beans:property name="validateCode" value="false" />
</beans:bean>

<!--  
<beans:bean id="authenticationSuccessHandler"
class="com.ckm.console.security.auth.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/index.action"></beans:property>
</beans:bean>
-->
<beans:bean id="authenticationFailureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/login.jsp"></beans:property>
</beans:bean>

<!-- 自定义退出服务 -->
<beans:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<beans:constructor-arg value="/login.jsp" />
<beans:constructor-arg>
<beans:list>
<beans:ref bean="customSessionLogoutHandler" />
</beans:list>
</beans:constructor-arg>
<beans:property name="filterProcessesUrl" value="/j_spring_security_logout" />
</beans:bean>
<!-- 
<beans:bean id="customSessionLogoutHandler" class="com.ckm.console.security.logout.SessionLogoutHandler">
<beans:property name="sessionRegistry">
<beans:ref local="sessionRegistry" />
</beans:property>
</beans:bean>
-->
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />

</beans:beans>
[/code]

#2

我也遇到这个问题,没人来为我们解答一下吗?

#3

在登陆事件里加上return false
标签:

相关文章