[英]How to secure an included page with Spring security
Assuming I have a main.jsp which include another protected page 假设我有一个main.jsp,其中包含另一个受保护的页面
<%
RequestDispatcher rd = request.getRequestDispatcher("secure/protected.jsp");
rd.include(request, response);
%>
<http auto-config="true" once-per-request="true">
<intercept-url pattern="/secure/**" access="ROLE_SUPERVISOR" />
....
</http>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
Currently, what I found are: 目前,我发现的是:
I have read related discussions: Spring Security Allows Unauthorized User Access to Restricted URL from a Forward 我已经阅读了相关的讨论: Spring Security允许未经授权的用户从转发访问受限的URL
is it possible to secure an included jsp? 是否有可能确保包含的jsp? If not, why? 如果没有,为什么? I guess reason is when we use request dispatcher, we still pass original request, so spring security filter only knows original request path (main.jsp) and don't know target included path (protectected.jsp). 我猜想原因是当我们使用请求分配器时,我们仍然传递原始请求,因此spring安全过滤器仅知道原始请求路径(main.jsp),而不知道目标包含路径(protectected.jsp)。 Therefore, it doesn't block the inclusion of protectected.jsp 因此,它不会阻止包含protectected.jsp
but it doesn't work. 但这不起作用。 I use Spring security 3.1.2. 我使用Spring Security 3.1.2。
Including a JSP basically means inlining the content of another JSP into the current output (html) document. 包括一个JSP基本上意味着将另一个JSP的内容内联到当前输出(html)文档中。 As san-krish mentioned these JSP includes don't undergo servlet filter operation. 正如sankrish所提到的,这些JSP包括不进行servlet过滤器操作。
Their main purpose is to be used whenever you have reusable JSPs, for instance for navigation or pagination. 它们的主要目的是在具有可重用的JSP时使用,例如用于导航或分页。 Usually, they aren't exposed by the servlet container. 通常,它们不会被servlet容器公开。 Hence, they should live under WEB-INF
. 因此,他们应该住在WEB-INF
。
You didn't disclose enough information about your application. 您没有公开有关您的应用程序的足够信息。 But it seems that you are trying to route to different pages inside one JSP. 但是似乎您正在尝试路由到一个JSP中的不同页面。
Consider that as a design flaw. 将其视为设计缺陷。 Your view (the JSP) should just render the model data and your controller ( HttpServlet
or even better Spring MVC
request handler) should decide whether JSP A or B should be taken for rendering. 您的视图(JSP)应仅呈现模型数据,而您的控制器( HttpServlet
或什至更好的Spring MVC
请求处理程序)应决定是否应采用JSP A或B进行呈现。
If I'm wrong with my assumption - sorry for the noise. 如果我的假设有误-很抱歉。
If you are trying to show different content to the user after login you should consider implementing a custom AuthenticationSuccessHandler
which redirects to different JSPs based on the roles attached to the principal
. 如果您试图在登录后向用户显示不同的内容,则应考虑实现一个定制的AuthenticationSuccessHandler
,它根据附加到principal
的角色重定向到不同的JSP。
If you are just want to show or hide page content based on user role, you should leverage Spring Security's Taglib
: 如果只想根据用户角色显示或隐藏页面内容,则应利用Spring Security's Taglib
:
Include the Spring Security Taglib artifact in your pom.xml
(I take Maven for granted). 在pom.xml
包含Spring Security Taglib工件(我认为Maven是理所当然的)。
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>3.1.1.RELEASE</version>
</dependency>
Add the taglib to your JSP. 将taglib添加到您的JSP。
<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags"%>
And surround include
with authorize
tag. 和环绕include
与authorize
标签。 Even better, you should move authorize
into protected.jsp
for better reusability. 更好的是,您应该将authorize
移入protected.jsp
以提高可重用性。
<security:authorize ifAllGranted="ROLE_SUPERVISOR">
<jsp:include page="secure/protected.jsp" />
</security:authorize>
As you include
the jsp page in your main.jsp , it doesnt undergo servlet filter operation. 当您在main.jsp中include
jsp页面时,它不会进行servlet过滤器操作。 In otherwords , it doesnt reach server rather compiled and placed in your main page. 换句话说,它不会到达服务器,而是已编译并放置在您的主页中。
The concept of spring security is based on ServletFilter
as you included page is not intercepted by spring security it doestnt prevent its access. Spring Security的概念基于ServletFilter
因为您包含的页面不会被Spring Security拦截,它不会阻止对其的访问。
Hope this helps !! 希望这可以帮助 !!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.