堆栈内存溢出
  简体   繁体   English

无法使用Spring-Security保护HTML文件的安全

[英]Cannot secure HTML files using Spring-Security

 原文  2014-05-03 18:22:39       java/ spring-mvc/ spring-security

问题描述

I have a webapp which I deploy on google appengine. 我有一个部署在Google Appengine上的webapp。 I believe that the issue is not related to GAE, but there is something that I am missing... 我认为该问题与GAE无关,但是我缺少一些东西...

Basically, I want to force the user to be authenticated in order to see/use anything that is under /secured dir. 基本上,我想强制对用户进行身份验证,以便查看/使用/secured目录下的任何内容。 I have HTML page that is under this dir, but the user can easily navigate to it (without being authenticated). 我的目录下有HTML页面,但用户可以轻松导航到该页面(无需身份验证)。 How do I secure it using SS? 如何使用SS保护它?

I read this and that , tried it but it did not help :-( 我读了这个那个 ,尝试了一下,但是没有帮助:-(

My config - web.xml: 我的配置-web.xml: 

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    <init-param>
        <param-name>contextAttribute</param-name>
        <param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.spring</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>


<!-- to integrate Spring with AppEngine project -->
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/spring-servlet.xml</param-value>
</context-param>

<!-- if we work with Spring-security, we already have a listener -->
<!-- listener>
    <listener-class>
        org.springframework.web.context.ContextLoaderListener
    </listener-class>
</listener-->


<servlet>
    <servlet-name>spring</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>spring</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

spring-servlet.xml: 为spring-servlet.xml: 

<context:annotation-config />

<context:property-placeholder location="classpath:client.properties" />

<context:component-scan base-package="com.nice.coffee" />
<context:component-scan base-package="com.ohadr.auth_flows" />
<context:component-scan base-package="com.ohadr.crypto" />

<mvc:annotation-driven />
<mvc:default-servlet-handler />

<!-- dont use debug! https://jira.spring.io/browse/SEC-1885 >
<sec:debug />
 -->

 <mvc:resources mapping="/secured/**" location="/secured/" />


<sec:http pattern="/login/**" security="none" />
<sec:http pattern="/forgotPasswordPage" security="none" />
<sec:http pattern="/forgotPassword" security="none" />
<sec:http pattern="/createAccountPage" security="none" />
<sec:http pattern="/createAccount" security="none" />

<sec:http authentication-manager-ref="authenticationManager">
    <sec:intercept-url pattern="/**/ohad.html" access="ROLE_ADMIN" />  
    <sec:intercept-url pattern="/secured/**" access="ROLE_USER" />
    <sec:anonymous />

    <sec:form-login login-page="/login/login.htm"
        authentication-success-handler-ref="authenticationSuccessHandler"
        authentication-failure-handler-ref="authenticationFailureHandler" />

</sec:http>



<sec:authentication-manager alias="authenticationManager">
    <sec:authentication-provider
        user-service-ref="userDetailsService">
        <sec:password-encoder hash="sha-256">
            <sec:salt-source user-property="username" />
        </sec:password-encoder>
    </sec:authentication-provider>
</sec:authentication-manager>...

my proj hierarchy: 我的项目层次结构:

在此处输入图片说明

...thanks in advance! ...提前致谢!

2 个解决方案

解决方案1
 1  2014-05-04 02:17:04

与其将安全的Pags直接放在src/main/webapp/secured ,而不是将它们放在src/main/resources/secured ,然后将您的resources语句更改为

<mvc:resources mapping="/secured/**" location="classpath:/secured/" />

解决方案2
 0 已采纳  2014-05-04 05:50:41

It appears that my problem was in this line: 看来我的问题出在这一行: 

 <mvc:resources mapping="/secured/**" location="/secured/" />

spring-mvc is "confused" where both location and mapping are with the same name. spring-mvc是“混淆的”,其中位置和映射具有相同的名称。 So when a request to a resource enters the application, eg .../secured/my.html, spring-mvc does not use the mapping at all. 因此,当对资源的请求进入应用程序时,例如... / secured / my.html,spring-mvc根本不使用映射。

The solution was to change the location name (or the mapping, but I changed the location-name) so i ended up with: 解决的办法是更改位置名称(或映射,但是我更改了位置名称),所以我最终得到了: 

 <mvc:resources mapping="/secured/**" location="/secured_resources/" />

and all my resources (html, JS, etc) were under a dir called ' secured_resources '. 我所有的资源(html,JS等)都位于一个名为“ secure_resources ”的目录下。 Then, when a request arrived to the application, eg .../secured/my.html, it was mapped successfully using MVC, hence the browser is redirected to login page, etc. 然后,当请求到达应用程序时,例如... / secured / my.html,使用MVC成功映射了该请求,因此将浏览器重定向到登录页面等。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 是否可以通过spring-security保护包含的jsp? - Is it possible to secure an included jsp with spring-security? 使用来自websocket消息的spring-security和access principal保护Spring-Webscoket - Secure Spring-Webscoket using spring-security and access principal from websocket message Spring-security - 无法访问ServletException - Spring-security - cannot access ServletException Spring-Security Basic HTML身份验证 - Spring-Security Basic HTML authentication 密码使用Spring-security加密和解密 - Password encrypt and decrypt using Spring-security BadCredentialsException是spring-security - BadCredentialsException is spring-security 剖析弹簧安全性 - Profile into spring-security 如何通过Spring 3.0.3 Security保护静态html文件? - How to secure static html files through Spring 3.0.3 Security? Spring-Security:Spring-Security 中 /** 和 /* url 模式的区别 - Spring-Security: Difference Between /** and /* url pattern in Spring-Security Spring-Security:使用登录时返回的cookie访问安全资源 - Spring-Security : Accessing secured resources using cookie returned at login
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM