0

当我通过普通的 @Controller 类调用在 @Service 类上找到的 Spring @Secured 方法时,身份验证工作正常。

当我通过 IText PDF 过滤器调用相同的方法时,使用 org.xhtmlrenderer.extend.ReplacedElementFactory 实现,我得到以下堆栈跟踪:

org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:325)
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:196)
    at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:64)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
    at org.springframework.aop.framework.Cglib2AopProxy$DynamicAdvisedInterceptor.intercept(Cglib2AopProxy.java:622)

安全性显然是有效的,因为没有所需角色的用户会收到拒绝访问异常,而具有正确角色的其他用户则完全没有问题。

这是我的 web.xml 中的一个片段:

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
    <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter>
    <filter-name>pdfFilter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>pdfFilter</filter-name>
    <url-pattern>/reports/pdf/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

这是 ReplacedElementFactory 实现的片段:

@Inject private ImageService imageService;

    @Override
    public ReplacedElement createReplacedElement(LayoutContext ctx, BlockBox box, UserAgentCallback uac, int width, int height) {

        Element el = box.getElement();
        if (el == null) {
            return null; 
        }

        String nodeName =  el.getNodeName();
        if (nodeName.equalsIgnoreCase("img")) {
            String srcAttr = el.getAttribute("src");
            FSImage fsImage;
            try {
                fsImage = getImage(srcAttr, uac);
            }catch(BadElementException ex) {
                fsImage = null;
            }catch(IOException ex) {
                fsImage = null;
            }catch(NullPointerException ex) {
                fsImage = null;
            }

            if (fsImage != null) {
                if (width != -1 || height != -1) {
                    fsImage.scale(width, height);
                }

                return new ITextImageElement(fsImage);
            }
        }

        return null;
    }

private FSImage getImage(String src, UserAgentCallback uac) throws IOException, BadElementException, NullPointerException {
        FSImage fsImage;

        String[] split = src.split("/");
        if (src.contains("image/person/")) {                
            Long id = Long.valueOf( split[split.length - 1] );
            Image img = imageService.getPersonImageByImageId(id);           
            fsImage = new ITextFSImage(com.lowagie.text.Image.getInstance(img.getImage()));

        return fsImage;
    }

这是我的 ImageService 类方法:

@Secured({"ROLE_MY_ROLE_READ"})
    public Image getPersonImageByImageId(Long imageId) {
        return imageDao.findOne(imageId);
    }

失败发生在对图像服务方法的调用上,可能是因为它是 Secured 并且 ReplacedElementFactory 实现无权访问安全上下文,但是我如何进行身份验证?

我是新来发帖的,所以如果还有什么需要请告诉我。

4

1 回答 1

0

不知道你是如何配置你的安全性来启动的。但如果你已经使用了,那么检查过滤器的顺序。安全过滤器应该在您的 pdffilter 之前。

于 2013-03-21T04:56:55.480 回答