java - Spring 3 MVC + 安全性

Question

我有两个示例项目 - 第一个是 Spring 3 MVC 项目，第二个是 Spring 3 安全项目......两者都运行良好......但是当我尝试创建应用程序时，我同时实现了安全性和 MVC，我可以' t意识到如何使它工作。我的应用程序结构如下所示：

当我有jsp页面时，/安全工作......但是当我想让它们/WEB-INF/views能够@Controller为他们映射时，它就不起作用了......有人可以请教我，在哪里改变什么，使它与 JSP 一起工作/WEB-INF/views/？

我的配置文件：

/WEB-INF/spring/appServlet/servlet-context.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

<!-- DispatcherServlet Context: defines this servlet's request-processing infrastructure -->

<!-- Enables the Spring MVC @Controller programming model -->
<annotation-driven />

<!-- Handles HTTP GET requests for /resources/** by efficiently serving up static resources in the ${webappRoot}/resources directory -->
<resources mapping="/resources/**" location="/resources/" />

<!-- Resolves views selected for rendering by @Controllers to .jsp resources in the /WEB-INF/views directory -->
<beans:bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
    <beans:property name="prefix" value="/WEB-INF/views/" />
    <beans:property name="suffix" value=".jsp" />
</beans:bean>

<context:component-scan base-package="cz.cvut.fit" />

    <context:component-scan base-package="com.chickstarter.web" />
<resources location="/resources/**" mapping="/src/webapp/resources"/>


     </beans:beans>

/WEB-INF/spring/appServlet/web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"    
 xmlns="http://java.sun.com/xml/ns/javaee"   
 xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" 
 xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
 http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">
 <context-param>
 <param-name>contextConfigLocation</param-name>
 <param-value>/WEB-INF/spring/root-context.xml</param-value>
 </context-param>
 <listener>
 <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
 </listener>
 <servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
  <param-name>contextConfigLocation</param-name>
  <param-value>/WEB-INF/spring/appServlet/servlet-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
 <url-pattern>/</url-pattern>
 </servlet-mapping>
<!-- START: Spring Security -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
<!-- END: Spring Security -->
 <servlet>
    <servlet-name>mvc-dispatcher</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>classpath:applicationContext-web.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>
 <servlet-mapping>
    <servlet-name>mvc-dispatcher</servlet-name>
    <url-pattern>/data/*</url-pattern>
</servlet-mapping>
</web-app>

/src/main/resources/applicationContext-sexurity.xml

<beans xmlns:security="http://www.springframework.org/schema/security"
   xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://www.springframework.org/schema/beans
             http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
             http://www.springframework.org/schema/security
             http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<security:http pattern="/login.jsp*" security="none"/>
<security:http pattern="/denied.jsp" security="none"/>

<security:http auto-config="true" access-denied-page="/denied.jsp" servlet-api-provision="false">
    <security:intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <security:intercept-url pattern="/edit/**" access="ROLE_EDIT"/>
    <security:intercept-url pattern="/admin/**" access="ROLE_ADMIN"/>
    <security:intercept-url pattern="/**" access="ROLE_USER"/>
    <security:form-login login-page="/login.jsp" authentication-failure-url="/denied.jsp"
                         default-target-url="/home.jsp"/>
    <security:logout/>
</security:http>

<security:authentication-manager>
    <security:authentication-provider>
        <security:user-service>
            <security:user name="adam" password="adampassword" authorities="ROLE_USER"/>
            <security:user name="jane" password="janepassword" authorities="ROLE_USER, ROLE_ADMIN"/>
            <security:user name="sue" password="suepassword" authorities="ROLE_USER, ROLE_EDIT"/>
        </security:user-service>
    </security:authentication-provider>
</security:authentication-manager>

 </beans>

Answer 1

首先，您在 web.xml 中定义了 2 个调度程序 servlet，一个加载 applicationContext，另一个加载 servlet-context。这真的有必要吗？如果您真的想拆分文件，可以在 servlet-context 中使用 import 标记。

其次，您还有 2 个<resources>标签。第一个就足够了，因为路径扫描从 webapp 文件夹开始。

第三，让您的所有 jsp 只能从它们的控制器访问。排除您想在没有身份验证的情况下访问的 url：

<security:intercept-url pattern="login/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>

以上将排除RequestMapping以下控制器可访问的所有资源：

登录控制器：

@Controller
@RequestMapping("login")
public class LoginController 
{

    @RequestMapping(method = RequestMethod.GET)
    public String login(Authentication authentication)
    {
        if ((authentication != null) && authentication.isAuthenticated())
        {
            return "redirect:dashboard";
        }
        return "login";
    }

    @RequestMapping(value="doSomething", method = RequestMethod.POST)
    public String postLogin(Authentication authentication)
    {
        // Something else
    }

}

返回的“登录”将打开您定义的页面，InternalResourceViewResolver并在 WEB-INF/views 下查找该页面。

在您的安全文件中，将所有路径从 jsp 路径更改为RequestMapping路径。

Answer 2

您在不使用处理程序的情况下直接访问一些 jsp。例如

<security:intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:form-login login-page="/login.jsp" authentication-failure-url="/denied.jsp"
                     default-target-url="/home.jsp"/>

因此，安全性将一直有效，直到它在根目录下找到您的登录名、被拒绝和 home jsp。

您可以做的最简单的事情是将它们更改为 /WEB-INF/views url。但是我认为直接访问jsp并不是一种做法。您应该使用处理程序方法。下面我举个例子。

@RequestMapping(value="login", method= RequestMethod.GET)
public String showLogin(){
    return "login";
}

然后为请求映射 url 应用安全性。

<security:intercept-url pattern="login" access="IS_AUTHENTICATED_ANONYMOUSLY"/>

现在您的安全逻辑不与您的文件物理位置绑定。保持松散耦合总是好的。

使用 spring安全文档了解更多详细信息。