当我通过普通的 @Controller 类调用在 @Service 类上找到的 Spring @Secured 方法时,身份验证工作正常。
当我通过 IText PDF 过滤器调用相同的方法时,使用 org.xhtmlrenderer.extend.ReplacedElementFactory 实现,我得到以下堆栈跟踪:
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:325)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:196)
at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:64)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.Cglib2AopProxy$DynamicAdvisedInterceptor.intercept(Cglib2AopProxy.java:622)
安全性显然是有效的,因为没有所需角色的用户会收到拒绝访问异常,而具有正确角色的其他用户则完全没有问题。
这是我的 web.xml 中的一个片段:
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter>
<filter-name>pdfFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>pdfFilter</filter-name>
<url-pattern>/reports/pdf/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
这是 ReplacedElementFactory 实现的片段:
@Inject private ImageService imageService;
@Override
public ReplacedElement createReplacedElement(LayoutContext ctx, BlockBox box, UserAgentCallback uac, int width, int height) {
Element el = box.getElement();
if (el == null) {
return null;
}
String nodeName = el.getNodeName();
if (nodeName.equalsIgnoreCase("img")) {
String srcAttr = el.getAttribute("src");
FSImage fsImage;
try {
fsImage = getImage(srcAttr, uac);
}catch(BadElementException ex) {
fsImage = null;
}catch(IOException ex) {
fsImage = null;
}catch(NullPointerException ex) {
fsImage = null;
}
if (fsImage != null) {
if (width != -1 || height != -1) {
fsImage.scale(width, height);
}
return new ITextImageElement(fsImage);
}
}
return null;
}
private FSImage getImage(String src, UserAgentCallback uac) throws IOException, BadElementException, NullPointerException {
FSImage fsImage;
String[] split = src.split("/");
if (src.contains("image/person/")) {
Long id = Long.valueOf( split[split.length - 1] );
Image img = imageService.getPersonImageByImageId(id);
fsImage = new ITextFSImage(com.lowagie.text.Image.getInstance(img.getImage()));
return fsImage;
}
这是我的 ImageService 类方法:
@Secured({"ROLE_MY_ROLE_READ"})
public Image getPersonImageByImageId(Long imageId) {
return imageDao.findOne(imageId);
}
失败发生在对图像服务方法的调用上,可能是因为它是 Secured 并且 ReplacedElementFactory 实现无权访问安全上下文,但是我如何进行身份验证?
我是新来发帖的,所以如果还有什么需要请告诉我。