在JBoss上运行Spring Boot应用程序–忽略端点的问题

Question

I have a requirement to run a Spring Boot (version 1.3.0.RELEASE) application on JBoss 6.4.0 server.

Initially, the following problem was encountered, and a solution was added following the author's advice.

http://ilya-murzinov.github.io/articles/spring-boot-jboss/

I am still however encountering a problem. The application uses Spring security to manage access, and it has been configured to ignore certain paths. Unfortunately, when run on JBoss, it appears that the end points set to ignore are not being picked up, and attempts to log in fail (and all other ignored end points).

Here is a sample of code showing how the end point ignores have been implemented. Perhaps these have been implemented incorrectly, or ordering is an issue?

package com.company.product.security;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

/**
 * The configuration class responsible for handling security
 */
@Configuration
@EnableWebSecurity
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Value("${server.servlet-path}")
    private String basePath;

    @Autowired
    private JWTAuthenticationProvider authenticationProvider;

    @Autowired
    private TokenHandler tokenHandler;

    /**
     * Adding custom provider to global authentication manager
     *
     * @param auth the authentication manager
     */
    @Autowired
    public void configureGlobal(final AuthenticationManagerBuilder auth) {
        auth.authenticationProvider(this.authenticationProvider);
    }

    @Override
    public void configure(final WebSecurity web) throws Exception {
        //Specifies unsecured end-points

        //previous approach example
        //web.ignoring().antMatchers(this.basePath + "/login")

        web.ignoring().antMatchers(this.basePath + "/login/**") //end point still cannot be reached
                      .antMatchers(this.basePath + "/endpoint1/**")
                      .antMatchers(this.basePath + "/endpoint2/**")
                      .antMatchers(this.basePath + "/v2/endpoint3/**");
    }

    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        http.addFilterBefore(new StatelessAuthenticationFilter(this.tokenHandler),
                UsernamePasswordAuthenticationFilter.class).authorizeRequests().anyRequest().authenticated().and()
                .csrf().disable();
    }
}

The code works fine using its embedded Tomcat server.

When we try and access the login endpoint we are getting Access Denied errors. This endpoint should not have any security on it and we have added it as an ignored pattern to our configuration. The ignore configuration seems to work OK for static pages such as html, but not in this case.

Answer 1

The problem has been solved. It turns out, the problem was not with Spring security. A NamingException was being thrown within the org.springframework.ldap.core.ContextSource getReadOnlyContext() method, due to a missing LDAP server. Restoring this server fixed the problem.