我有一个使用 Jesery-SpringServlet 的 Jersey 应用程序。此外,我正在尝试使用 Spring 安全性来保护 webapp。具体来说,我使用@Secured 和@PreAuthorize 注释来保护Web 资源方法,但是,无论何时我应用这个或任何其他spring 安全注释,自动装配字段都无法自动装配。
我正在使用带有 Jersey-Spring servlet + spring 3.1.2 安全性的 Jersey 1.7。我也在使用 spring-security 自定义过滤器。我已经实现了 userDetailsService 并设置了必要的 spring bean 以将其连接到 preAuthProvider。正如您从下面的代码中看到的那样,我提供了一些虚拟用户和角色。
一切正常,所有 bean 都按预期自动装配。但是,在下面的 JerseyServiceTest 类中,当 @PreAuthorize 注释应用于 getInfo() 方法时,myService 字段为空。当我删除 @PreAuthorize 注释时它工作正常:
请帮我解决这个问题。以下是我的文件:
安全配置.xml:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://activemq.apache.org/schema/core
http://activemq.apache.org/schema/core/spring-core-3.1.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-3.1.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<context:annotation-config/>
<context:component-scan base-package="com.*" />
<security:global-method-security
pre-post-annotations="enabled">
<security:expression-handler ref="expressionHandler" />
</security:global-method-security>
<bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
</bean>
<security:http use-expressions="true" auto-config="true" create-session="stateless">
<security:custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />
<security:intercept-url pattern="/resources/batchstatus/criteria" access="ROLE_App_user"/> -->
</security:http>
<bean id="siteminderFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
<property name="principalRequestHeader" value="SM_USER"/>
<property name="authenticationManager" ref="authenticationManager" />
<property name="exceptionIfHeaderMissing" value="false" />
</bean>
<bean id="preauthAuthProvider"
class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService">
<bean id="userDetailsServiceWrapper"
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" ref="userDetailsService"/>
</bean>
</property>
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="preauthAuthProvider" />
</security:authentication-manager>
</beans>
我的 contextInitializer 类的片段:
context.setConfigLocations(new String[] {
"/WEB-INF/spring/Application-config.xml",
"/WEB-INF/spring/security-config.xml"});
}
.....
泽西服务测试:
...
@Component
@Path("/test")
@Component
public class JerseyServiceTest {
@Autowired
private MyService myService;
@GET
@Produces(MediaType.APPLICATION_JSON)
@PreAuthorize("hasRole('ROLE_App_user')")
public final getInfo(){
... do something
}
...
用户详情服务:
@Service("userDetailsService")
public class UserRoleFetchService implements UserDetailsService {
GrantedAuthority ga = new GrantedAuthorityImpl("ROLE_App_user");
GrantedAuthority ga1 = new GrantedAuthorityImpl("ROLE_App_user1");
Collection<GrantedAuthority> gas = new ArrayList<GrantedAuthority>();
@Override
public UserDetails loadUserByUsername(String userName)
throws UsernameNotFoundException, DataAccessException {
gas.add(ga);
gas.add(ga1);
UserDetails user = new User(userName, "password", gas);
return user;
}
}
网页.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<display-name>Jersey-Test</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<context-param>
<param-name>contextInitializerClasses</param-name>
<param-value>mypackage.myContextInitializerClass</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/resources/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>jersey-servlet</servlet-name>
<servlet-class>com.sun.jersey.spi.spring.container.servlet.SpringServlet</servlet-class>
<init-param>
<param-name>com.sun.jersey.config.property.packages</param-name>
<param-value>managed</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.api.json.POJOMappingFeature</param-name>
<param-value>true</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>jersey-servlet</servlet-name>
<url-pattern>/resources/*</url-pattern>
</servlet-mapping>
</web-app>
由于公司限制,我不能发布太多细节。