0

我正处于试图让它发挥作用的第 3 天,但运气不佳。下面是使用场景(这里只用我自己的话总结一下):

在现有应用程序中,我们需要集成 Spring 安全性。用户登录配置无法更改,我们希望在 Spring 中使用标准注释(@Secured@PreAuthorize)来锁定对 RESTful 端点的访问。内部对象可以包装,但不允许更改。

为了安全,我在 Maven 中添加了所有核心依赖项:

<dependency>
  <groupId>org.springframework.security</groupId>
  <artifactId>spring-security-core</artifactId>
  <version>${spring.version}</version>
</dependency>
<dependency>
  <groupId>org.springframework.security</groupId>
  <artifactId>spring-security-web</artifactId>
  <version>${spring.version}</version>
</dependency>
<dependency>
  <groupId>org.springframework.security</groupId>
  <artifactId>spring-security-config</artifactId>
  <version>${spring.version}</version>
</dependency>

我采用了系统中的自定义User类,并为其创建了两个包装器以插入 Spring Security Framework:

  1. CustomAuthentication实现org.springframework.security.core.Authentication
  2. CustomUserDetails实现org.springframework.security.core.userdetails.UserDetails

然后我创建了一个使用@Service("userDetailService")注释的org.springframework.security.core.userdetails.UserDetailsS ​​ervice 实现。这完成了 Spring Security 的基本 Java 端实现,我认为我需要它才能让事情运行起来。

我创建了一个类com.myapp.rest.SecurityTestController,如下所示:

@Controller
@RequestMapping("/security-test")
public class SecurityTestController {

  @RequestMapping("wide-open/{name}")
  @ResponseBody
  public String restWideOpen(@PathVariable String name, HttpSession session) {
    return "Hello, " + name + ", from a wide-open RESTful service.";
  }

  @Secured("ROLE_XYZ")
  @RequestMapping("require-auth/{name}")
  @ResponseBody
  public String restRequireAuthorization(@PathVariable String name, HttpSession session) {
    return "Hello, " + name + ", from a RESTful service requiring authorization.";
  }
}

我还更新了要添加的内部日志记录代码(由原始开发人员实现为@Conroller ):

Authentication customAuthentication = new CustomAuthentication(user);
SecurityContextHolder.getContext().setAuthentication(customAuthentication);

在注销时,我只是简单地添加了:

SecurityContextHolder.clearContext();

一切看起来都很好,编译没有问题,等等。所以我决定继续进行配置方面的工作,以使应用程序能够安全地工作。无需任何更改,我就可以使用基本 URL 访问这两个界面(在这种情况下,恰好是localhost:8080/myapp/security-test/...)。

所以这里是配置:

web.xml

<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
         version="2.5">

  <display-name>MyApp</display-name>

  <context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/applicationContext*.xml</param-value>
  </context-param>

  <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
  </listener>

  <servlet>
    <servlet-name>myapp-web</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet-mapping>
    <servlet-name>myapp-web</servlet-name>
    <url-pattern>/myapp/*</url-pattern>
  </servlet-mapping>

  <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/myapp/**</url-pattern>
  </filter-mapping>

</web-app>

应用程序上下文.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans ...>
    <context:annotation-config />
    <context:component-scan base-package="com.myapp" />
    <context:property-placeholder location="/WEB-INF/servlet.properties" />

    <bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource">
        <property name="basename" value="messages" />
    </bean>

    <bean id="multipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
        <property name="maxUploadSize" value="${maxProfileImageSize}"/>
    </bean>

    <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
        <property name="driverClassName" value="com.mysql.jdbc.Driver"/>
        <property name="url" value="${datasource.url}"/>
        <property name="username" value="${datasource.username}"/>
        <property name="password" value="${datasource.password}"/>
    </bean>

    <tx:annotation-driven transaction-manager="transactionManager" />

    <bean id="transactionManager" class="org.springframework.jdbc.datasource.DataSourceTransactionManager">
        <property name="dataSource" ref="dataSource" />
    </bean>

    <bean id="sqlSessionFactory" class="org.mybatis.spring.SqlSessionFactoryBean">
        <property name="dataSource" ref="dataSource" />
        <property name="typeAliasesPackage" value="com.myapp.bean" />
    </bean>

    <bean id="velocityEngine" class="org.springframework.ui.velocity.VelocityEngineFactoryBean">
        <property name="resourceLoaderPath" value="/WEB-INF/views/velocity/"/>
        <property name="configLocation" value="/WEB-INF/velocity.properties"/>
    </bean>

    <bean id="properties" class="org.springframework.beans.factory.config.PropertiesFactoryBean">
        <property name="location" value="/WEB-INF/servlet.properties"/>
    </bean>
</beans>

applicationContext-security.xml

<beans ...>
  <sec:global-method-security secured-annotations="enabled" pre-post-annotations="enabled" />

  <sec:http auto-config="true" use-expressions="true">
    <sec:intercept-url pattern="/myapp/login" access="permitAll" />
  </sec:http>

  <sec:authentication-manager>
    <sec:authentication-provider user-service-ref="userDetailService" />
  </sec:authentication-manager>
</beans>

最后: myapp-web-servlet.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans ...>

  <context:component-scan base-package="com.myapp" />
  <context:annotation-config />
  <context:property-placeholder location="/WEB-INF/servlet.properties" />

  <mvc:annotation-driven/>
  <mvc:interceptors>
    <bean id="sessionInterceptor" class="com.myapp.web.interceptor.SessionInterceptor" />
  </mvc:interceptors>

  <bean id="handlerAdapter" class="org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter">
    <property name="messageConverters">
      <util:list>
        <ref bean="jsonHttpMessageConverter" />
      </util:list>
    </property>
  </bean>

  <bean id="jsonHttpMessageConverter" class="org.springframework.http.converter.json.MappingJacksonHttpMessageConverter" />

  <bean id="handlerMapping" class="org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping">
      <property name="useTrailingSlashMatch" value="true" />
  </bean>

  <bean id="viewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">
    <property name="prefix" value="/WEB-INF/views/" />
    <property name="suffix" value=".jsp" />
  </bean>
</beans>

现在问题来了:

一切都提醒着完全相同。我可以在不验证角色的情况下访问 RESTful 服务。当我在调试中启动 Tomcat 时,我的UserDetailsS​​ervice实现实际上从未被调用。

我错过了什么?这让我非常沮丧,因为我以前从未遇到过这样的 Spring Security 问题。

更新

我想到了。在所有要错过的事情中,我需要将其添加到myapp-web-servlet.xml

<sec:global-method-security secured-annotations="enabled" pre-post-annotations="enabled" />

现在我只需要弄清楚如何让它在会话重新启动之间适当地加载我的角色。

4

1 回答 1

0

我认为问题可能出在您的映射上:

<filter>
    <filter-name>myFilter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  </filter>

  <filter-mapping>
    <filter-name>myFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
于 2013-11-05T17:24:41.847 回答