如何启用Spring安全性?
[英]How to enable Spring security?
问题描述
I wonder why my Spring security is not working. 
我不知道为什么我的Spring安全性无法正常工作。 I've got this spring-security.xml 我有这个spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config='true'>
<intercept-url pattern="/**" access="ROLE_USER" />
<port-mappings>
<port-mapping http="8088" https="9443"/>
</port-mappings>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="password2" authorities="ROLE_USER" />
<user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="bob" password="bobspassword" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Then I got this web.xml 然后我得到了这个web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring/admin-servlet-common.xml
/WEB-INF/spring/admin-servlet-controller.xml
/WEB-INF/spring/admin-servlet-security.xml
/WEB-INF/spring/admin-servlet-service.xml
/WEB-INF/spring-security.xml
classpath:ses-service.xml
</param-value>
</context-param>
<context-param>
<param-name>log4jConfigLocation</param-name>
<param-value>/WEB-INF/log4j.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
</listener>
<!-- Reads request input using UTF-8 encoding -->
<filter>
<filter-name>characterEncodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>characterEncodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Enables clean URLs with JSP views e.g. /welcome instead of /app/welcome -->
<filter>
<filter-name>UrlRewriteFilter</filter-name>
<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>UrlRewriteFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Handles all requests into the application -->
<servlet>
<servlet-name>ses</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>ses</servlet-name>
<url-pattern>/app/*</url-pattern>
</servlet-mapping>
</web-app>
But it neither gives an error message nor enables security. 但是它既不会发出错误消息,也不会启用安全性。 There is no change is my webapp and I can still browse the pages eg http://localhost:8088/admin/login and http://localhost:8088/admin/menu . 我的web应用程序没有任何变化,我仍然可以浏览页面,例如http://localhost:8088/admin/login和http://localhost:8088/admin/menu 。 This project is the admin part of a web app and I'm enabling security for the admin web. 该项目是Web应用程序的管理部分,我正在为管理Web启用安全性。 What can be done? 该怎么办? My own login page that I'd like to use is http://localhost:8088/admin/login and I'd like to secure the rest of the /admin* pages for the admin role. 我要使用的自己的登录页面是http://localhost:8088/admin/login ,我想为admin角色保护其余的/ admin *页面。
2 个解决方案
解决方案1
2 已采纳 2013-12-16 21:03:11
The UrlRewriteFilter is listed first and will bypass Spring Security by forwarding to other places within the application. UrlRewriteFilter列在最前面,它将通过转发到应用程序中的其他位置来绕过Spring Security。 In general, the springSecurityFilterChain should be the first in your web.xml to ensure it intercepts all requests. 通常,springSecurityFilterChain应该是您的web.xml中的第一个,以确保其拦截所有请求。
I'd also consider removing UrlRewriteFilter all together (as it can make for very confusing mappings in your intercept-urls. In the past it was used to remove the /app mapping assigned to Springs DispatcherServlet which can easily be avoided by mapping the DispatcherServlet to / 我还考虑一起删除UrlRewriteFilter(因为它可以使您的拦截URL中的映射非常混乱。过去,它用于删除分配给Springs DispatcherServlet的/ app映射,可以通过将DispatcherServlet映射到/
<servlet-mapping>
<servlet-name>ses</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
You can find some more discussion about Spring Security and UrlRewriteFilter on the Spring Security forums 您可以在Spring Security论坛上找到有关Spring Security和UrlRewriteFilter的更多讨论。
解决方案2
1 2013-12-16 16:28:28
<intercept-url pattern="/**" access="ROLE_USER" />
does it means that you allow access to all pages for user with ROLE_USER (all of 3 users have that role)? 这是否意味着您允许具有ROLE_USER的用户(所有3个用户都具有该角色)访问所有页面?
<intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
<intercept-url pattern="/**" access="ROLE_USER" />
should allow access to admin's pages only for users with ROLE_ADMIN, and rest of pages as it works now 应该只允许具有ROLE_ADMIN的用户访问管理员页面,而其余页面则可以正常使用
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.