具有 Spring 安全性 XML 配置的 HTTP Basic 不使用 HttpBasicConfigurer
HTTP Basic with Spring Security XML configuration doesn't use HttpBasicConfigurer
关于 HTTP 基本配置,XML 配置和 Java 似乎没有在 Spring 安全中执行相同的任务。
使用以下 Java 配置时:
protected void configure(HttpSecurity http) throws Exception {
http
.httpBasic()
.and()
.authorizeRequests()
.anyRequest().authenticated();
}
A HttpBasicConfigurer 是为了使用不同的入口点,当请求 HTTP header X-Requested-With 是 XMLHttpRequest.
使用配置时
<s:http use-expressions="true" create-session="ifRequired">
<s:intercept-url pattern='/**' access='isAuthenticated()' />
<s:http-basic />
<s:http />
HTTPBassicConfigurer未使用。
有人知道如何使用 XML 配置添加它吗?
可以使用基本身份验证过滤器显式声明基本身份验证参数:
<security:http use-expressions="true" entry-point-ref="entryPoint" authentication-manager-ref="authManager">
<security:custom-filter ref="advancedBasicFilter" position="BASIC_AUTH_FILTER"/>
<security:intercept-url pattern="/info/**" access="permitAll" />
<security:intercept-url pattern="/**" access="isAuthenticated()"/>
</security:http>
<bean id="advancedBasicFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
<constructor-arg name="authenticationEntryPoint" ref="entryPoint"/>
<constructor-arg name="authenticationManager" ref="authManager"/>
</bean>
<bean id="entryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<property name="realmName" value="My Realm"/>
</bean>
<security:authentication-manager id="authManager">
<security:authentication-provider user-service-ref="myOwnUserService" />
</security:authentication-manager>
如果您使用带有命名空间的 xml 配置,则不会使用 HTTPBasicConfigurer,而是使用 <http-basic> 标签的属性。
摘自Spring安全参考手册附录关于<http-basic>标签的安全命名空间:
属性
authentication-details-source-ref : 对 AuthenticationDetailsSource 的引用,将由身份验证过滤器
entry-point-ref 设置 BasicAuthenticationFilter
AuthenticationEntryPoint
根据此 post 中人们提供的评论,最终解决方案是无法将 HTTPBasicConfigurer 与 XML 配置一起使用。但是还有其他方法可以执行与现在在 HTTPBasicConfigurer 中实现的几乎相同的事情。我最终使用的解决方案主要基于Lea提供的备注:
<s:http use-expressions="true" create-session="ifRequired" >
<s:intercept-url pattern='/**' access='isAuthenticated()' />
<s:http-basic entry-point-ref="entryPoint" />
</s:http>
<bean id="entryPoint"
class="org.springframework.security.web.authentication
.DelegatingAuthenticationEntryPoint">
<constructor-arg>
<map>
<entry key="hasHeader('X-Requested-With','XMLHttpRequest')"
value-ref="ajaxEntyPoint" />
</map>
</constructor-arg>
<property name="defaultEntryPoint" ref="defaultEntryPoint"/>
</bean>
<bean id="ajaxEntyPoint"
class="org.springframework.security.web.authentication.HttpStatusEntryPoint">
<constructor-arg name="httpStatus"
value="#{T(org.springframework.http.HttpStatus).UNAUTHORIZED}"/>
</bean>
<bean id="defaultEntryPoint"
class="org.springframework.security.web.authentication.www
.BasicAuthenticationEntryPoint">
<property name="realmName" value="My webservices"/>
</bean>
关于 HTTP 基本配置,XML 配置和 Java 似乎没有在 Spring 安全中执行相同的任务。
使用以下 Java 配置时:
protected void configure(HttpSecurity http) throws Exception {
http
.httpBasic()
.and()
.authorizeRequests()
.anyRequest().authenticated();
}
A HttpBasicConfigurer 是为了使用不同的入口点,当请求 HTTP header X-Requested-With 是 XMLHttpRequest.
使用配置时
<s:http use-expressions="true" create-session="ifRequired">
<s:intercept-url pattern='/**' access='isAuthenticated()' />
<s:http-basic />
<s:http />
HTTPBassicConfigurer未使用。
有人知道如何使用 XML 配置添加它吗?
可以使用基本身份验证过滤器显式声明基本身份验证参数:
<security:http use-expressions="true" entry-point-ref="entryPoint" authentication-manager-ref="authManager">
<security:custom-filter ref="advancedBasicFilter" position="BASIC_AUTH_FILTER"/>
<security:intercept-url pattern="/info/**" access="permitAll" />
<security:intercept-url pattern="/**" access="isAuthenticated()"/>
</security:http>
<bean id="advancedBasicFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
<constructor-arg name="authenticationEntryPoint" ref="entryPoint"/>
<constructor-arg name="authenticationManager" ref="authManager"/>
</bean>
<bean id="entryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<property name="realmName" value="My Realm"/>
</bean>
<security:authentication-manager id="authManager">
<security:authentication-provider user-service-ref="myOwnUserService" />
</security:authentication-manager>
如果您使用带有命名空间的 xml 配置,则不会使用 HTTPBasicConfigurer,而是使用 <http-basic> 标签的属性。
摘自Spring安全参考手册附录关于<http-basic>标签的安全命名空间:
属性
authentication-details-source-ref : 对
AuthenticationDetailsSource的引用,将由身份验证过滤器entry-point-ref 设置 BasicAuthenticationFilter
使用的
AuthenticationEntryPoint
根据此 post 中人们提供的评论,最终解决方案是无法将 HTTPBasicConfigurer 与 XML 配置一起使用。但是还有其他方法可以执行与现在在 HTTPBasicConfigurer 中实现的几乎相同的事情。我最终使用的解决方案主要基于Lea提供的备注:
<s:http use-expressions="true" create-session="ifRequired" >
<s:intercept-url pattern='/**' access='isAuthenticated()' />
<s:http-basic entry-point-ref="entryPoint" />
</s:http>
<bean id="entryPoint"
class="org.springframework.security.web.authentication
.DelegatingAuthenticationEntryPoint">
<constructor-arg>
<map>
<entry key="hasHeader('X-Requested-With','XMLHttpRequest')"
value-ref="ajaxEntyPoint" />
</map>
</constructor-arg>
<property name="defaultEntryPoint" ref="defaultEntryPoint"/>
</bean>
<bean id="ajaxEntyPoint"
class="org.springframework.security.web.authentication.HttpStatusEntryPoint">
<constructor-arg name="httpStatus"
value="#{T(org.springframework.http.HttpStatus).UNAUTHORIZED}"/>
</bean>
<bean id="defaultEntryPoint"
class="org.springframework.security.web.authentication.www
.BasicAuthenticationEntryPoint">
<property name="realmName" value="My webservices"/>
</bean>