配置SpringSecurity前台后台登录处理

下面的代码配置为后台登录、前台登录验证处理。但是无法保存两个登录状态,要么是登录后台,要么是登录前台

 <!--<debug/>-->
    <beans:bean id="userBCryptEncoder"
                class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
    </beans:bean>
    <beans:bean id="adminUserDetailsService" class="com.fengyunhe.manager.service.AdminUserDetailsService">
        <beans:property name="jdbcTemplate" ref="jdbcTemplate"/>
    </beans:bean>


    <authentication-manager id="adminAuthenticationManager" alias="adminAuthenticationManager">
        <authentication-provider user-service-ref="adminUserDetailsService">
            <password-encoder ref="userBCryptEncoder"/>
        </authentication-provider>
    </authentication-manager>




    <!-- 后台登录页面-->
    <beans:bean id="adminLoginEntryPoint" class="com.fengyunhe.manager.AdminLoginEntryPoint">
        <beans:constructor-arg name="loginFormUrl" value="/admin/login"/>
        <beans:property name="forceHttps" value="true"/>
        <beans:property name="useForward" value="true"/>
    </beans:bean>


    <beans:bean id="adminAccessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
        <beans:constructor-arg name="decisionVoters" >
            <beans:list>
                <beans:bean class="org.springframework.security.access.vote.RoleVoter" />
                <beans:bean
                        class="org.springframework.security.access.vote.AuthenticatedVoter" />
                <beans:bean
                        class="org.springframework.security.web.access.expression.WebExpressionVoter"/>
            </beans:list>
        </beans:constructor-arg>
    </beans:bean>


    <!-- 后台用户安全配置-->
    <http pattern="/admin/**" authentication-manager-ref="adminAuthenticationManager"
          access-decision-manager-ref="adminAccessDecisionManager"
          use-expressions="true"
          access-denied-page="/admin/login">
        <remember-me key="fengyunhe" user-service-ref="adminUserDetailsService"/>

        <intercept-url pattern="/admin/login" access="permitAll()" requires-channel="https"/>
        <intercept-url pattern="/admin/login_submit" access="permitAll()" requires-channel="https"/>
        <form-login login-page="/admin/login"
                    default-target-url="/admin/"
                    authentication-failure-url="/admin/login"
                    login-processing-url="/admin/login_submit"
                    always-use-default-target="true"
                />
        <logout logout-url="/admin/logout" invalidate-session="true" delete-cookies="JSESSIONID"
                logout-success-url="/admin/login"/>

        <intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" requires-channel="https"/>
        <session-management invalid-session-url="/admin/login" session-authentication-error-url="/admin/login"
                            session-fixation-protection="migrateSession" >
            <!--<concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>-->
        </session-management>
    </http>




    <!-- 下面是会员的登录和权限控制-->


    <authentication-manager id="memberAuthenticationManager" alias="memberAuthenticationManager">
        <authentication-provider user-service-ref="memberUserDetailsService">
            <password-encoder ref="userBCryptEncoder"/>
        </authentication-provider>
    </authentication-manager>

    <beans:bean id="memberLoginEntryPoint" class="com.fengyunhe.member.MemberLoginEntryPoint">
        <beans:constructor-arg name="loginFormUrl" value="/member/login"/>
        <beans:property name="forceHttps" value="true"/>
        <beans:property name="useForward" value="true"/>
    </beans:bean>

    <beans:bean id="memberUserDetailsService" class="com.fengyunhe.member.service.MemberUserDetailsService">
        <beans:property name="jdbcTemplate" ref="jdbcTemplate"/>
    </beans:bean>


    <beans:bean id="memberAccessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
        <beans:constructor-arg name="decisionVoters" >
            <beans:list>
                <beans:bean class="org.springframework.security.access.vote.RoleVoter" />
                <beans:bean
                        class="org.springframework.security.access.vote.AuthenticatedVoter" />
                <beans:bean
                        class="org.springframework.security.web.access.expression.WebExpressionVoter"/>
            </beans:list>
        </beans:constructor-arg>
    </beans:bean>
    <http pattern="/member/**" authentication-manager-ref="memberAuthenticationManager"
          access-decision-manager-ref="memberAccessDecisionManager"
          use-expressions="true"
          access-denied-page="/member/login" >
        <remember-me key="fengyunhe" user-service-ref="memberUserDetailsService"/>

        <intercept-url pattern="/member/login" access="permitAll()" requires-channel="https"/>
        <intercept-url pattern="/member/login_submit" access="permitAll()" requires-channel="https" />
        <form-login login-page="/member/login"
                    default-target-url="/member/"
                    authentication-failure-url="/member/login"
                    login-processing-url="/member/login_submit"
                    username-parameter="username"
                    password-parameter="password"
                    always-use-default-target="true"
                />
        <logout logout-url="/member/logout" invalidate-session="true" delete-cookies="JSESSIONID"
                logout-success-url="/member/login"/>

        <intercept-url pattern="/member/**" access="hasRole('ROLE_MEMBER')" requires-channel="http"/>
        <session-management  session-fixation-protection="none">
            <!--<concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>-->
        </session-management>
    </http>

注意,如果关闭固定session攻击防御则只可能配置session-fixation-protection=”none”,其他的属性不能带,否则还是会开启固定session攻击防御。开启后会对用https登录切回http的这种方式造成影响,因为session发生变化,给的sessionId为secure,无法在http下获取到,所以会导致跳回http后还是在登录页面的问题。

1 thought on “配置SpringSecurity前台后台登录处理

Leave a Comment

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据