1

Spring 安全文档(http://static.springsource.org/spring-security/site/docs/3.1.x/reference/taglibs.html#d0e6875)说明如下:

您可以使用安全标签库授权通过 URL 进行访问,如下所示:

<sec:authorize url="/admin"> 此内容仅对被授权向“/admin” URL 发送请求的用户可见。 </sec:authorize>

要使用此标记,您的应用程序上下文中还必须有一个 WebInvocationPrivilegeEvaluator 实例。如果您使用命名空间,则会自动注册一个

现在没事了...

我刚刚从 Spring Security 3.0 升级到 3.1

在 SS 3.0 中,使用基于 URL 的访问的 JSP 标记运行良好。当放入 3.1 罐子时,它停止工作。

我正在使用 Spring Security 命名空间。因此,我应该拥有使 JSP 标记工作所需的一切,但它们没有。有关配置的所有其他内容都适用于我的应用程序。唯一不起作用的是使用 JSP 标记的基于 URL 的访问。

我的配置如下所示(针对 SS 3.1 更新)。我错过了什么?

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <security:global-method-security secured-annotations="enabled"/>

    <security:http pattern="/feed/**" create-session="stateless" entry-point-ref="digestEntryPoint" authentication-manager-ref="webAuthenticationManager" use-expressions="true">
        <security:http-basic/>
        <custom-filter ref="digestFilter" after="BASIC_AUTH_FILTER" />
    </security:http>

    <security:http name="webHttp" auto-config="true" use-expressions="true" authentication-manager-ref="webAuthenticationManager">
        <!-- Restrict URLs based on role -->
        <security:intercept-url pattern="/auth/login" access="permitAll" />
        <security:intercept-url pattern="/auth/autologin" access="permitAll" />
        <security:intercept-url pattern="/auth/logout" access="isAuthenticated()" />
        <security:intercept-url pattern="/auth/loginSuccess" access="" /> <!-- empty access tag.  The method checks for authenticated user -->

        <security:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />

        <!-- Override default login and logout pages -->
        <security:form-login login-page="/auth/login" 
                             login-processing-url="/auth/loginProcess" 
                             default-target-url="/auth/loginSuccess" 
                             authentication-failure-url="/auth/login?error=1" />
        <security:logout logout-url="/auth/logout" logout-success-url="/" />
        <security:remember-me key="remembermekey" user-service-ref="userDetailsService"/>
        <security:session-management invalid-session-url="/auth/login"/>

    </security:http>

    <beans:bean id="digestFilter" class="org.springframework.security.web.authentication.www.DigestAuthenticationFilter">
        <beans:property name="userDetailsService" ref="userDetailsService" />
        <beans:property name="authenticationEntryPoint" ref="digestEntryPoint" />
    </beans:bean>
    <beans:bean id="digestEntryPoint" class="org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint">
        <beans:property name="realmName" value="Contacts Realm via Digest Authentication" />
        <beans:property name="key" value="acegi" />
    </beans:bean>    

    <security:authentication-manager id="webAuthenticationManager" alias="webAuthenticationManager">
        <security:authentication-provider user-service-ref="userDetailsService">
            <security:password-encoder hash="md5"/>
        </security:authentication-provider>     
    </security:authentication-manager>

</beans:beans>
4

0 回答 0