Apache可以基于Tomcat Web应用程序的Spring SecurityContext限制访问吗?
[英]Can Apache restrict access based on a Tomcat webapp's Spring SecurityContext?
问题描述
We have a tomcat webapp which provides webservices which are protected using Spring Security. 
我们有一个tomcat webapp,它提供了使用Spring Security保护的Web服务。 The client makes a call to a specific authenticationService method which we wrote to authenticate them and create an authToken which is then used to register them with Spring Security as so: 客户端调用一个特定的authenticationService方法,我们对该方法进行身份验证并创建一个authToken,然后将其用于向Spring Security进行注册,如下所示:
SecurityContextHolder.getContext().setAuthentication( authToken )
That's all fine and good. 一切都很好。 However, we also have the requirement that authenticated users be able to access static content which is served by Apache (httpd) on the same server. 但是,我们还要求经过身份验证的用户能够访问由同一服务器上的Apache(httpd)提供的静态内容。 Is there a way to enforce the requirement that the user has been authenticated (by Java/Spring) before they can download the static content? 有没有一种方法可以强制要求用户在可以下载静态内容之前已通过Java / Spring进行了身份验证? It seems like Apache and Tomcat would have to somehow share the SecurityContext. 看来Apache和Tomcat必须以某种方式共享SecurityContext。
OR - alternatively it seems like Tomcat could serve the static content itself since it already has access to the SecurityContext. 或者-替代地,似乎Tomcat可以提供静态内容,因为它已经可以访问SecurityContext。 If that is the best solution, could anyone provide a pointer to how we would get tomcat to do that (serve static content after checking that the user has been authenticated). 如果那是最好的解决方案,那么谁能提供一个指向我们如何使tomcat做到这一点的指针(在检查用户已通过身份验证后提供静态内容)。
Thanks. 谢谢。
1 个解决方案
解决方案1
0 已采纳 2011-03-25 16:41:16
Yes, Tomcat is going to have to serve the static content. 是的,Tomcat将不得不提供静态内容。
mvc:resources can be helpful here. mvc:resources在这里可能会有所帮助。 After that is set up protect those mappings using the standard intercept-url configuration. 设置完之后,请使用标准的拦截URL配置来保护那些映射。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.