如何在最简单的情况下正确配置 spring 安全性?
How to configure spring security in the simplest case correctly?
我有控制器:
@Controller
public class SecurityController{
@RequestMapping(value="/403")
public String renderAccessDeniedPage(){
return "403";
}
@RequestMapping(value="/admin")
public String renderAdminWelcomePage(){
return "admin/welcome";
}
}
当请求被 spring-security 重定向到安全视图时,它应该呈现安全视图。我有以下配置:
web.xml
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/coreContext.xml /WEB-INF/securityContext.xml</param-value>
</context-param>
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value></param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/</url-pattern>
</filter-mapping>
蚂蚁 securityContext 本身:
<security:http auto-config="true" use-expressions="true">
<security:access-denied-handler error-page="/403" />
<security:intercept-url pattern="admin/**" access="hasRole('ADMIN')" />
<security:form-login login-page="/" username-parameter="user" password-parameter="pass" login-processing-url="/" />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="xaDataSource"
authorities-by-username-query="select name, role from users where name = ?"
users-by-username-query="select name, password, enabled from users_auth where name = ?" />
</security:authentication-provider>
</security:authentication-manager>
问题是,当我尝试通过浏览器发送呈现页面的请求时,即使我没有登录,我也只是得到了我请求的页面(例如 admin.jsp)。我试过了进行调试,我注意到我在 web.xml 中声明的 org.springframework.web.filter.DelegatingFilterProxy 中没有一个方法被调用。怎么了?
除了 AlanBarrows 评论(使用 <security:intercept-url pattern="/admin/**"),您还应该将过滤器映射到 /* 而不是 / :
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
PS:很高兴注意到相关信息:没有调用 DelegatingFilterProxy 的任何一种方法
我有控制器:
@Controller
public class SecurityController{
@RequestMapping(value="/403")
public String renderAccessDeniedPage(){
return "403";
}
@RequestMapping(value="/admin")
public String renderAdminWelcomePage(){
return "admin/welcome";
}
}
当请求被 spring-security 重定向到安全视图时,它应该呈现安全视图。我有以下配置:
web.xml
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/coreContext.xml /WEB-INF/securityContext.xml</param-value>
</context-param>
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value></param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/</url-pattern>
</filter-mapping>
蚂蚁 securityContext 本身:
<security:http auto-config="true" use-expressions="true">
<security:access-denied-handler error-page="/403" />
<security:intercept-url pattern="admin/**" access="hasRole('ADMIN')" />
<security:form-login login-page="/" username-parameter="user" password-parameter="pass" login-processing-url="/" />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="xaDataSource"
authorities-by-username-query="select name, role from users where name = ?"
users-by-username-query="select name, password, enabled from users_auth where name = ?" />
</security:authentication-provider>
</security:authentication-manager>
问题是,当我尝试通过浏览器发送呈现页面的请求时,即使我没有登录,我也只是得到了我请求的页面(例如 admin.jsp)。我试过了进行调试,我注意到我在 web.xml 中声明的 org.springframework.web.filter.DelegatingFilterProxy 中没有一个方法被调用。怎么了?
除了 AlanBarrows 评论(使用 <security:intercept-url pattern="/admin/**"),您还应该将过滤器映射到 /* 而不是 / :
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
PS:很高兴注意到相关信息:没有调用 DelegatingFilterProxy 的任何一种方法