2

如上所述,我在 spring MVC 中有一个 webapp,其中以下正在工作:

  • 没有 js/img/css/png 资产的虚拟页面中的“玩具”版身份验证
  • 控制器中的 URL 映射。所以:http://myhost/myapp/login并且http://myhost/myapp/homepage/*都提供一个页面
  • 休眠/JPA 集成
  • 简而言之,除了在带有资产的完​​整登录页面中的所有内容,即使我输入了正确的用户名/密码组合,身份验证也会被拒绝并重定向到身份验证失败 URL。

(Spring 3.2,Spring Security 3.1.3。我现在使用基于 XML 的身份验证 - 见下文 - 所以与 Hibernate/JPA 无关,我认为这完全是我如何设置 Spring 的问题)

那么我的问题有两个:

  • .png 文件在 servlet 处理时会触发身份验证调用吗?在这种情况下,我该如何过滤掉它?(.jpg .js .css 默认被忽略为“公共对象”,因此不进行安全筛选?
  • 现在安全性已经固定,配置文件(在下面转载)有什么奇怪的地方吗?

我怀疑服务器日志中的以下几行是相关的:

调试日志

09:29:52,516 DEBUG DispatcherServlet:999 - Null ModelAndView returned to DispatcherServlet with name 'mvc-dispatcher': assuming HandlerAdapter completed request handling
09:29:52,517 DEBUG DispatcherServlet:946 - Successfully completed request
09:29:52,517 DEBUG ExceptionTranslationFilter:115 - Chain processed normally
09:29:52,517 DEBUG HttpSessionSecurityContextRepository:269 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
09:29:52,517 DEBUG SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed
09:29:52,983 DEBUG FilterChainProxy:337 - /resources/bootstrap/img/glyphicons-halflings.png at position 1 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
09:29:52,983 DEBUG HttpSessionSecurityContextRepository:139 - HttpSession returned null object for SPRING_SECURITY_CONTEXT
09:29:52,983 DEBUG HttpSessionSecurityContextRepository:85 - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@104ce68. A new one will be created.
09:29:52,983 DEBUG FilterChainProxy:337 - /resources/bootstrap/img/glyphicons-halflings.png at position 2 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
09:29:52,984 DEBUG FilterChainProxy:337 - /resources/bootstrap/img/glyphicons-halflings.png at position 3 of 10 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
09:29:52,984 DEBUG FilterChainProxy:337 - /resources/bootstrap/img/glyphicons-halflings.png at position 4 of 10 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
09:29:52,984 DEBUG FilterChainProxy:337 - /resources/bootstrap/img/glyphicons-halflings.png at position 5 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
09:29:52,984 DEBUG FilterChainProxy:337 - /resources/bootstrap/img/glyphicons-halflings.png at position 6 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
09:29:52,984 DEBUG FilterChainProxy:337 - /resources/bootstrap/img/glyphicons-halflings.png at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
09:29:52,985 DEBUG AnonymousAuthenticationFilter:102 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@905571d8: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 127.0.0.1; SessionId: 2AE4A610A87DADA1FC2D3EC33BAC5176; Granted Authorities: ROLE_ANONYMOUS'

09:29:52,990 DEBUG DispatcherServlet:999 - Null ModelAndView returned to DispatcherServlet with name 'mvc-dispatcher': assuming HandlerAdapter completed request handling
09:29:52,991 DEBUG DispatcherServlet:946 - Successfully completed request
09:29:52,991 DEBUG ExceptionTranslationFilter:115 - Chain processed normally
09:29:52,991 DEBUG HttpSessionSecurityContextRepository:269 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
09:29:52,991 DEBUG SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed

目前我正在使用简单的、基于 XML 的身份验证,如下所示:

安全上下文.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<http auto-config="true">
    <intercept-url pattern="/homepage*" access="ROLE_USER" />
    <!-- custom securiy URL mappings -->
    <form-login login-page="/login" default-target-url="/homepage/main"
        authentication-failure-url="/loginfailed" />
    <logout logout-success-url="/logout" />     
</http>

<authentication-manager>
  <authentication-provider>
    <user-service>
    <user name="user" password="pass" authorities="ROLE_USER" />
    </user-service>
  </authentication-provider>
</authentication-manager>

</beans:beans>

其他相关配置文件:

mvc-调度程序-servlet.xml

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="
    http://www.springframework.org/schema/beans     
    http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
    http://www.springframework.org/schema/context 
    http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd">

<context:component-scan base-package="com.blah.blah.controller" />
<!-- URI mapping for static content -->
<mvc:resources mapping="/resources/**" location="/resources/" />
<bean
  class="org.springframework.web.servlet.view.InternalResourceViewResolver" id="viewResolver">
  <property name="prefix">
    <value>/WEB-INF/views/</value>
  </property>
  <property name="suffix">
    <value>.jsp</value>
  </property>
</bean>

 <!-- also add the following beans to get rid of some exceptions -->
 <bean class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter" />
 <bean class="org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping" />
</beans>

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app
    xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
                        http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    id="yourpackagename.yourwebproject" version="2.5">
<display-name>my web project</display-name>

<!-- Spring Framework Configuration -->
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>       
        classpath:application-context.xml,
        /WEB-INF/spring-security.xml
    </param-value>
</context-param>

<!-- Spring Security -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>
      org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>


<!-- Servlet Configurations -->
<!-- Web App Dispatcher -->
<!-- Spring MVC -->
<servlet>
    <servlet-name>mvc-dispatcher</servlet-name>
    <servlet-class>
                org.springframework.web.servlet.DispatcherServlet
            </servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>mvc-dispatcher</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

<!-- Mentioning the Context Loader Listener class of Spring Framework as a listener -->
<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<!-- Filter Configurations -->
<!-- UTF-8 encoding filter -->
<filter>
    <filter-name>encodingFilter</filter-name>
    <filter-class>
        org.springframework.web.filter.CharacterEncodingFilter
    </filter-class>
    <init-param>
        <param-name>encoding</param-name>
        <param-value>UTF-8</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>encodingFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<!-- logging -->
<context-param>
    <param-name>log4jConfigLocation</param-name>
    <param-value>/WEB-INF/classes/log4j.properties</param-value>
</context-param>
<listener>
    <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
</listener>

</web-app>
4

2 回答 2

2

由于 spring 过滤器适用于所有请求,因此 png 图像也是如此。对于第一个问题,您可以使用这样的行过滤 png

<intercept-url pattern="/**/*.png" access="ROLE_ANONYMOUS" />

或者如果您决定使用访问表达式

<intercept-url pattern="/**/*.png" access="true" />

但是从您的配置文件来看,无论如何都应该是这种情况。

另一种方法是:

<http pattern="/**/*.png" security="none"/>
于 2013-02-28T09:55:57.083 回答
0

阿德里安的回答很好。使用 Spring 4 和 Spring Security 4,我们现在对图像和其他资源进行过滤:

<http auto-config="true" use-expressions="true">
    <intercept-url pattern="/" access="permitAll" />
    <intercept-url pattern="/assets**" access="permitAll" />
    <intercept-url pattern="/images**" access="permitAll" />
...
</http>

这种 ant 样式的模式表示法允许您不关心资源的文件夹层次结构。

当然,您必须使用带有以下标签的适当访问权限:

<intercept-url pattern="/private.do" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<intercept-url pattern="/admin.do" access="hasRole('ROLE_ADMIN')" />

不要忘记激活 CSRF 保护:

<csrf/>

我发现配置起来非常方便。五年前没那么容易:)

于 2016-03-01T09:45:55.193 回答