堆栈内存溢出
  简体   繁体   English

如何使用Spring安全性保护包含的页面

[英]How to secure an included page with Spring security

 原文  2014-09-30 08:04:30       java/ jsp/ spring-security

问题描述

Assuming I have a main.jsp which include another protected page 假设我有一个main.jsp,其中包含另一个受保护的页面 

<%
RequestDispatcher rd = request.getRequestDispatcher("secure/protected.jsp");
rd.include(request, response);
%>


<http auto-config="true" once-per-request="true">
        <intercept-url pattern="/secure/**" access="ROLE_SUPERVISOR" />
....
</http>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>INCLUDE</dispatcher>
    <dispatcher>FORWARD</dispatcher>
</filter-mapping>

Currently, what I found are: 目前,我发现的是:

  • Spring security filter is actually invoked. 实际上会调用Spring安全过滤器。
  • protected.jsp is still displayed in main.jsp. protected.jsp仍显示在main.jsp中。 (but I expect protected.jsp will be blocked by spring security) (但我希望protected.jsp将被Spring安全性阻止)

I have read related discussions: Spring Security Allows Unauthorized User Access to Restricted URL from a Forward 我已经阅读了相关的讨论: Spring Security允​​许未经授权的用户从转发访问受限的URL

is it possible to secure an included jsp? 是否有可能确保包含的jsp? If not, why? 如果没有,为什么? I guess reason is when we use request dispatcher, we still pass original request, so spring security filter only knows original request path (main.jsp) and don't know target included path (protectected.jsp). 我猜想原因是当我们使用请求分配器时,我们仍然传递原始请求,因此spring安全过滤器仅知道原始请求路径(main.jsp),而不知道目标包含路径(protectected.jsp)。 Therefore, it doesn't block the inclusion of protectected.jsp 因此,它不会阻止包含protectected.jsp

but it doesn't work. 但这不起作用。 I use Spring security 3.1.2. 我使用Spring Security 3.1.2。

2 个解决方案

解决方案1
 2 已采纳  2014-09-30 19:50:56

Including a JSP basically means inlining the content of another JSP into the current output (html) document. 包括一个JSP基本上意味着将另一个JSP的内容内联到当前输出(html)文档中。 As san-krish mentioned these JSP includes don't undergo servlet filter operation. 正如sankrish所提到的,这些JSP包括不进行servlet过滤器操作。

Their main purpose is to be used whenever you have reusable JSPs, for instance for navigation or pagination. 它们的主要目的是在具有可重用的JSP时使用,例如用于导航或分页。 Usually, they aren't exposed by the servlet container. 通常,它们不会被servlet容器公开。 Hence, they should live under WEB-INF . 因此,他们应该住在WEB-INF

You didn't disclose enough information about your application. 您没有公开有关您的应用程序的足够信息。 But it seems that you are trying to route to different pages inside one JSP. 但是似乎您正在尝试路由到一个JSP中的不同页面。

Consider that as a design flaw. 将其视为设计缺陷。 Your view (the JSP) should just render the model data and your controller ( HttpServlet or even better Spring MVC request handler) should decide whether JSP A or B should be taken for rendering. 您的视图(JSP)应仅呈现模型数据,而您的控制器( HttpServlet或什至更好的Spring MVC请求处理程序)应决定是否应采用JSP A或B进行呈现。

If I'm wrong with my assumption - sorry for the noise. 如果我的假设有误-很抱歉。

If you are trying to show different content to the user after login you should consider implementing a custom AuthenticationSuccessHandler which redirects to different JSPs based on the roles attached to the principal . 如果您试图在登录后向用户显示不同的内容,则应考虑实现一个定制的AuthenticationSuccessHandler ,它根据附加到principal的角色重定向到不同的JSP。

If you are just want to show or hide page content based on user role, you should leverage Spring Security's Taglib : 如果只想根据用户角色显示或隐藏页面内容,则应利用Spring Security's Taglib

Include the Spring Security Taglib artifact in your pom.xml (I take Maven for granted). pom.xml包含Spring Security Taglib工件(我认为Maven是理所当然的)。 

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-taglibs</artifactId>
    <version>3.1.1.RELEASE</version>
</dependency>

Add the taglib to your JSP. 将taglib添加到您的JSP。 

<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags"%>

And surround include with authorize tag. 和环绕includeauthorize标签。 Even better, you should move authorize into protected.jsp for better reusability. 更好的是,您应该将authorize移入protected.jsp以提高可重用性。 

<security:authorize ifAllGranted="ROLE_SUPERVISOR">
    <jsp:include page="secure/protected.jsp" />
</security:authorize>

解决方案2
 1  2014-09-30 09:24:31

As you include the jsp page in your main.jsp , it doesnt undergo servlet filter operation. 当您在main.jsp中include jsp页面时,它不会进行servlet过滤器操作。 In otherwords , it doesnt reach server rather compiled and placed in your main page. 换句话说,它不会到达服务器,而是已编译并放置在您的主页中。

The concept of spring security is based on ServletFilter as you included page is not intercepted by spring security it doestnt prevent its access. Spring Security的概念基于ServletFilter因为您包含的页面不会被Spring Security拦截,它不会阻止对其的访问。

Hope this helps !! 希望这可以帮助 !!

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 是否可以通过spring-security保护包含的jsp? - Is it possible to secure an included jsp with spring-security? 无法使用Spring Security保护AngularJS页面 - Can not secure AngularJS page using Spring Security 从控制器下载安全页面,Spring安全性 - Download secure page from controller, Spring security 如何使用Spring Security保护Vaadin流应用程序 - How to secure Vaadin flow application with Spring Security 如何使用Spring安全保护URL? - How to secure URLs using Spring security? 如何使用spring security同时保护2条路径? - how to secure 2 paths at same time with spring security? 如何使用Spring Security保护文件夹中的所有页面? - How to secure all pages in folder with Spring Security? 如何在Spring Security中添加@secure注释 - how to add @secure annotation in spring security 通过Spring Security保护REST - Secure REST with Spring Security 如何使用 Spring Boot 和 Spring Security 保护 REST API? - How to secure REST API with Spring Boot and Spring Security?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM