升级到4.2.3后,登录出现
HTTP Status 403 - Could not verify the provided CSRF token because your session was not found
sec http里面需要增加:
<sec:headers>
<sec:frame-options disabled="true"/>
<sec:content-type-options disabled="true"/>
<sec:cache-control disabled="true"/>
<sec:xss-protection disabled="true"/>
</sec:headers>
<sec:session-management session-authentication-strategy-ref="sas" />
<sec:csrf disabled="true" />
<!--session认证成功后的session策略 -->
<bean id="sas" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
<property name="migrateSessionAttributes" value="true"/>
<!--
<property name="retainedAttributes">
<list>
<value>SPRING_SECURITY_SAVED_REQUEST</value>
<value>docUser</value>
</list>
</property>
-->
</bean>
sec:form-login里面的:
<sec:form-login login-page="/login.jsp"
username-parameter="j_username"
password-parameter="j_password"
login-processing-url="/j_security_check"
default-target-url="/index.jsp" authentication-failure-url="/login.jsp?error=true"/>
<sec:http-basic />
原来3的时候,没
username-parameter="j_username"
password-parameter="j_password"
如果不增加的话,会报
org.springframework.security.authentication.BadCredentialsException: Empty Username
完整的配置文件:
<sec:http auto-config="false" servlet-api-provision="true" use-expressions="true" >
<sec:intercept-url pattern="/log*" access="permitAll" />
<sec:intercept-url pattern="/css/**" access="permitAll" />
<!-- 需要经过验证后才能访问的 -->
<!-- <sec:intercept-url pattern="/**" access="isAuthenticated()" /> -->
<sec:form-login login-page="/login.jsp"
username-parameter="j_username"
password-parameter="j_password"
login-processing-url="/j_security_check"
default-target-url="/index.jsp" authentication-failure-url="/login.jsp?error=true"/>
<sec:http-basic />
<sec:logout logout-success-url="/logout.jsp" />
<sec:remember-me />
<!-- 过滤器 -->
<sec:custom-filter ref="jeePreAuthenticatedFilter" position="PRE_AUTH_FILTER" />
<sec:headers>
<sec:frame-options disabled="true"/>
<sec:content-type-options disabled="true"/>
<sec:cache-control disabled="true"/>
<sec:xss-protection disabled="true"/>
</sec:headers>
<sec:session-management session-authentication-strategy-ref="sas" />
<sec:csrf disabled="true" />
</sec:http>
<!--session认证成功后的session策略 -->
<bean id="sas" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
<property name="migrateSessionAttributes" value="true"/>
</bean>
具体参考:
http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-xml.html#m3to4-xmlnamespace-form-login