1

我想限制对我的文件上传功能的访问。我在安全文件中写了拦截 url,但是 Spring Security 没有映射这个 URL。我使用的是 3.0.3 版本的 spring security。这些是我的 xml 文件:

security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans" 
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xmlns:security="http://www.springframework.org/schema/security"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                http://www.springframework.org/schema/security
                http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <security:global-method-security secured-annotations="enabled" />

    <http auto-config="true" use-expressions="true" access-denied-page="/forbidden.jsp">
        <intercept-url pattern="/files/**"/>
        <intercept-url pattern="/resources/**" filters="none"/>
        <form-login login-page="/login.htm" 
                    authentication-failure-url = "/login.htm?login_error=1" 
                    default-target-url="/forbidden.htm"/>
        <logout logout-success-url="/login.htm" />
        <anonymous username="guest" granted-authority="ROLE_ANONYMOUS" />
        <remember-me />
    </http>


    <beans:bean id="accountService" name="accountService" class="com.demo.service.impl.AccountServiceImpl" />

    <beans:bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
        <beans:property name="userDetailsService" ref="accountService"/>
    </beans:bean>

    <authentication-manager alias="authenticationManager">
        <authentication-provider user-service-ref="accountService" />
    </authentication-manager>
</beans:beans>

dispatcher-servlet.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:aop="http://www.springframework.org/schema/aop"
       xmlns:tx="http://www.springframework.org/schema/tx"
       xmlns:mvc="http://www.springframework.org/schema/mvc"
       xmlns:context="http://www.springframework.org/schema/context"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
       http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd
       http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd 
       http://www.springframework.org/schema/mvc 
       http://www.springframework.org/schema/mvc/spring-mvc.xsd
       http://www.springframework.org/schema/context 
       http://www.springframework.org/schema/context/spring-context.xsd">

    <bean class="org.springframework.web.servlet.mvc.support.ControllerClassNameHandlerMapping"/>

    <mvc:annotation-driven />
    <context:component-scan base-package="com.demo"/>
    <mvc:resources mapping="/resources/**" location="/resources/" />


    <bean id="viewResolver"
          class="org.springframework.web.servlet.view.InternalResourceViewResolver"
          p:prefix="/WEB-INF/jsp/"
          p:suffix=".jsp" />

    <bean id="multipartResolver"
       class="org.springframework.web.multipart.commons.CommonsMultipartResolver"/>


</beans>

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            classpath:/application-dao.xml
            /WEB-INF/applicationContext.xml
            /WEB-INF/security.xml</param-value>
    </context-param>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    <servlet>
        <servlet-name>dispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>2</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>dispatcher</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>
<!--     Spring Security -->
  <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>
</web-app>
4

2 回答 2

6

为什么你认为 Spring 不映射你的 URL?

乍一看映射看起来不错,但intercept-url并不完整。要授予某人访问 URL 的权限,您应该将规则指向access属性。所以正确的拦截器看起来像这样:

<intercept-url pattern="/files/**" access="isAuthenticated()" />

在这种特殊情况下,只有经过身份验证的用户才能访问您的 URL。

有关 Spring Security 基本功能的更多信息,您可以在官方教程中阅读。

于 2013-06-04T07:04:59.287 回答
0

您的安全标签上缺少命名空间,我看到它们被声明为“安全”,并且您的拦截标签缺少此命名空间

于 2015-10-16T05:48:55.837 回答