1

我们正在尝试将现有的基于 Spring 2.5 的应用程序升级到 Glassfish 3.1.2.2。

此应用程序在具有 Spring 2 安全性的 Glassfish 2.1 上运行良好。为此,我们正在使用我们的自定义身份验证设置。

该应用程序在 GF3 上部署良好。当我们尝试登录应用程序时,将显示基于自定义表单的身份验证页面。提供凭据后,我们将获得使用 GF3 服务器文件领域的基本身份验证弹出窗口。

我们已经尝试过这些选项,但没有奏效

  • 这个 SO 线程没有答案

  • 将 Spring 版本升级到 Last Best Version 2.5.6.SEC03 - 这仍然显示相同的问题

升级到 Spring 3 对我们来说不是一个选择,因为我们被一些第三方供应商库所困,这些库在 Spring 2 上具有编译时依赖性。

我们已经得到了 Oracle 的支持,但结果证明它们毫无用处(他们的支持总是令人失望)

您是否知道针对这种情况的任何解决方法?

下面是我们在 web.xml 中的安全配置代码

 <filter>
  <filter-name>springSecurityFilterChain</filter-name>
  <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
 </filter>
 <filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
 </filter-mapping>
  <security-constraint>
   <web-resource-collection>
    <web-resource-name>app</web-resource-name>
    <url-pattern>/app/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
   </web-resource-collection>
 </security-constraint>

下面是我们在 spring beans.xml 中的安全配置代码

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">

<http
    access-decision-manager-ref="accessDecisionManager" auto-config="false" realm="SPRING"
    session-fixation-protection="none"
    servlet-api-provision="true"
    entry-point-ref="authEntryPoint"
    >
    <intercept-url pattern="/Login*" filters="none"/>
    <intercept-url pattern="/styles.css" filters="none"/>
    <intercept-url pattern="/images/**" filters="none"/>
    <intercept-url pattern="/**.js" filters="none"/>        
    <intercept-url pattern="/**.html" access="users"/>
    <intercept-url pattern="/**.htmlx" access="users"/>

</http>

<authentication-manager alias="authenticationManager"/>
<!--  Override of default auth processing filter, to allow custom actions on login
    that have access to servlet stuff. This allows access to Tapestry-specifics, for
    doing things like creating the custom visit ASO. -->
<beans:bean id="customAuthFilter" class="com.mycomp.core.security.TapestryIntegrationFilter">
    <custom-filter position="AUTHENTICATION_PROCESSING_FILTER"/>
    <beans:property name="defaultTargetUrl" value="/Home.html"/>
    <beans:property name="filterProcessesUrl" value="/j_security_check"/>
    <beans:property name="authenticationFailureUrl" value="/Login.html"/>
    <beans:property name="authenticationManager" ref="authenticationManager"/>
</beans:bean>
<!-- When using a custom auth filter, you need a custom auth entry point, because you
    can't configure this using the "form-login" element under the "http" element. -->
<beans:bean id="authEntryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
    <beans:property name="loginFormUrl" value="/Login.html"/>
</beans:bean>

<!-- This, unfortunately, has to be defined to allow us to remove the "ROLE_" prefix from
    rolenames, by defining a roleVoter with an empty prefix. To wire in the voter, you
    have to define the access decision manager. -->
<beans:bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
    <beans:property name="decisionVoters">
        <beans:list>
            <beans:bean id="roleVoter" class="org.springframework.security.vote.RoleVoter">
                <beans:property name="rolePrefix" value=""/>
            </beans:bean>
            <beans:bean id="authenticatedVoter" class="org.springframework.security.vote.AuthenticatedVoter"/>
        </beans:list>
    </beans:property>
</beans:bean>

<!-- PIMA-specific authorization provider. It gets plugged into the framework by using the
    custom-authentication-provider element. -->
<beans:bean id="pscAuthenticationProvider" class="com.myapp.core.security.CustomAuthenticationProvider">
    <beans:property name="customUserDao" ref="customUserDao"/>
    <beans:property name="passwordUtility" ref="passwordUtility"/>
    <beans:property name="transactionManager" ref="transactionManager"/>
    <custom-authentication-provider/>
</beans:bean>

<beans:bean id="passwordUtility" class="com.myapp.core.security.PasswordUtility">
    <!-- Comment/uncomment to toggle password encoding off/on -->
    <beans:property name="saltSource">
        <beans:bean class="org.springframework.security.providers.dao.salt.SystemWideSaltSource">
            <beans:property name="systemWideSalt" value="somegoodsalt"/>
        </beans:bean>
    </beans:property>
    <beans:property name="passwordEncoder">
        <beans:bean class="org.springframework.security.providers.encoding.Md5PasswordEncoder"/>
    </beans:property>
    <!--        -->
</beans:bean>

<beans:bean id="securityService" class="com.scea.core.security.SecurityService">
    <beans:property name="passwordUtility" ref="passwordUtility"/>
</beans:bean>

4

0 回答 0