1

我正在使用 Spring 创建一个网站,并希望文件夹“/admin”下的所有页面都是安全的。但是真的不知道从哪里开始,只有一个复杂的例子可以继续。

在工作中,我们将详细信息存储在数据库中,但我希望它可以比这更简单,可能存储在 context.xml 或其他东西中?我遇到了这个页面:

在此处输入图像描述

网页.xml:

    <security-constraint>
    <display-name>admin pages</display-name>
    <web-resource-collection>
        <web-resource-name>Administration Pages</web-resource-name>
        <description/>
        <url-pattern>/admin/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>userAdmin</role-name>
    </auth-constraint>
    <!--  <user-data-constraint>
        <description/>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>-->
</security-constraint>

在 tomcat-users.xml 我有以下密码信息:

<user password="password" roles="tomcat,role1,manager-script,manager-gui,admin,manager" username="user"/>

但是当我尝试访问页面 /admin/adminindex.htm 时,我收到了一个禁止的错误:

对指定资源的访问(对请求的资源的访问已被拒绝)已被禁止。

理想情况下,我想将用户详细信息存储在数据库中,但目前都无法进行。

4

3 回答 3

2

我会研究Spring Security,它提供了大量用于保护网站的选项(包括 DB 支持或 JNDI 支持的安全性)。本教程可能是一个很好的起点。

于 2013-02-16T17:38:45.837 回答
0

我将从这个开始: http:

//docs.spring.io/autorepo/docs/spring-security/3.0.x/reference/springsecurity.html
您还可以查看这个已经有基本代码开始使用Spring的项目安全

https://github.com/pgardunoc/spring-security

于 2014-01-20T19:23:10.997 回答
0
This is how I secure applications using Spring Security, here is the web.xml

<filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/spring-servlet.xml
            /WEB-INF/spring-security.xml
        </param-value>
    </context-param>


    <servlet>
        <servlet-name>spring</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>/WEB-INF/spring-servlet.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>spring</servlet-name>
        <url-pattern>/myapp/*</url-pattern>
    </servlet-mapping>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>



spring-security.xml


     <security:http auto-config="true" use-expressions="true" access-denied-page="/" create-session="never" disable-url-rewriting="true">

    <security:intercept-url pattern="/myapp/auth/login" access="permitAll" />
    <security:intercept-url pattern="/myapp/main/**"  access="hasRole('ROLE_USER')" />

    <security:form-login login-page="/" authentication-failure-url="/myapp/auth/login?error=true" default-target-url="/myapp/main/default"/>
    <security:logout invalidate-session="true" logout-success-url="/myapp/auth/login" logout-url="/myapp/auth/logout" />

</security:http>


In order to authenticate using a Database you can use an Authentication Manager like this in spring-security.xml



 <security:authentication-manager>
        <security:authentication-provider user-service-ref="userService">
            <security:password-encoder ref="passwordEncoder" />
        </security:authentication-provider>
    </security:authentication-manager>

Where "userService" is a service you define that has access to the Database, your service must implement org.springframework.security.core.userdetails.UserDetailsService and write the method 


 public UserDetails loadUserByUsername(String userName)
        throws UsernameNotFoundException, DataAccessException {
    UserDetails user = null;
    try {
        // Replace loadUserFromDB with your Data access method to pull the user and encrypted password from the database
        Users u = loadUserFromDB(userName);
        if(u != null)
            user = new User(u.getEmail(), u.getPassword().toLowerCase(), true, true, true, true, getAuthorities(0));
    } catch (Exception e) {
        e.printStackTrace();
    }
    return user;
 }


Spring security will use this method to secure your pages. Make sure to include this method:


    public Collection<GrantedAuthority> getAuthorities(Integer access) {
    // Create a list of grants for this user
    List<GrantedAuthority> authList = new ArrayList<GrantedAuthority>(1);
    authList.add(new GrantedAuthorityImpl("ROLE_USER"));
    authList.add(new GrantedAuthorityImpl("ROLE_ANONYMOUS"));
    return authList;
    }
于 2013-04-13T05:50:09.483 回答