[英]Spring Security + MVC : Questions around context definition & bean scope
I'm trying to understand the reccommended way for defining Spring Security in Spring-MVC applications, where the bean definitions is split across multiple parent/child contexts. 我试图理解在Spring-MVC应用程序中定义Spring Security的推荐方法,其中bean定义分为多个父/子上下文。
For example, my current app's web.xml
looks as follows, (which I understand to be fairly standard) 例如,我当前应用程序的
web.xml
如下所示(我明白这是相当标准的)
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:applicationContext.xml
/WEB-INF/securityContext.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>spring-mvc</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring-mvc</servlet-name>
<url-pattern>/app/*</url-pattern>
</servlet-mapping>
So, I have a standard ContextLoaderListener
defined at /
, which loads my global configs - applicationContext.xml
and securityContext.xml
. 所以,我在
/
定义了一个标准的ContextLoaderListener
,它加载了我的全局配置 - applicationContext.xml
和securityContext.xml
。 I also define the spring mvc DispatcherServlet
at /app/
, which loads it's own beans from spring-mvc-servlet.xml
. 我还在
/app/
定义了spring mvc DispatcherServlet
,它从spring-mvc-servlet.xml
加载它自己的bean。
As I understand it, config defined in spring-mvc-servlet.xml
is not visible to config defined in either of the top-level context files. 据我了解,
spring-mvc-servlet.xml
中定义的config对于任何一个顶级上下文文件中定义的配置都不可见。
Where then is the best place to define app-level security concepts? 哪里是定义应用级安全概念的最佳位置? For example, I'd like to add the following filter.
例如,我想添加以下过滤器。
<security:http pattern="/oauth/token" create-session="stateless" entry-point-ref="oauthAuthenticationEntryPoint">
<security:custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
</security:http>
This is so that requests to /app/oauth/token
pass through this filter, and get basic authentication processed. 这样对
/app/oauth/token
请求就会通过此过滤器,并处理基本身份验证。
Because this pertains directly to a concern of the Spring-MVC app, I initially defined it in spring-mvc-context.xml
(which is why the app
is excluded from the url). 因为这与Spring-MVC应用程序的关注直接相关,所以我最初在
spring-mvc-context.xml
定义它(这就是为什么app
被排除在url之外)。
However, this means it's not visible to the security config defined in securityContext.xml
, so it's ignored. 但是,这意味着它不是在定义的安全配置可见
securityContext.xml
,所以它的忽略。
So, I move it up to securityContext.xml
, but in doing so, also must move all the dependencies. 所以,我将它移动到
securityContext.xml
,但是这样做,也必须移动所有依赖项。 I quickly end up moving everything up to applicationContext.xml
, which leaves the spring-mvc-context.xml
almost empty. 我很快就将所有内容移到
applicationContext.xml
,这使得spring-mvc-context.xml
几乎为空。
Is this common? 这是常见的吗? What is the reccomended split between what is defined in top-level contexts, and what gets defined in child contexts?
在顶级上下文中定义的内容与在子上下文中定义的内容之间存在什么分歧?
Given that spring-mvc defines a series of controllers, which I want to mark as @Secured
, how will these be processed if the controller is not visible to the security context? 鉴于spring-mvc定义了一系列控制器,我想将其标记为
@Secured
,如果控制器对安全上下文不可见,它们将如何处理?
Do I need to move my <mvc:annotation-driven />
from the servlet.xml
to the global applicationContext.xml
? 我是否需要将
<mvc:annotation-driven />
从servlet.xml
到全局applicationContext.xml
? Do I need additional configuration within the spring-mvc-servlet.xml
to tell it to participate in Spring security? 我是否需要在
spring-mvc-servlet.xml
进行其他配置以告诉它参与Spring安全性?
I've read the documentation on Spring-MVC , but there's very few specifics on how to configure this. 我已经阅读了关于Spring-MVC的文档 ,但是关于如何配置它的细节很少。 Additionally, the Spring OAuth examples seem to define everything within a single config file, which doesn't seem very real-world, and seems to contradict other examples I've read.
此外, Spring OAuth示例似乎在单个配置文件中定义了所有内容,这看起来并不真实,并且似乎与我读过的其他示例相矛盾。
First: the beans defined within applicationContext.xml
( ContextLoaderListener
) can not access the one defined in spring-mvc-servlet.xml
( DispatcherServlet
) but not the other way around. 首先:
applicationContext.xml
( ContextLoaderListener
)中定义的bean无法访问spring-mvc-servlet.xml
( DispatcherServlet
)中定义的bean,但不能访问其他方式。
You asked: 您询问:
Given that spring-mvc defines a series of controllers, which I want to mark as @Secured, how will these be processed if the controller is not visible to the security context?
鉴于spring-mvc定义了一系列控制器,我想将其标记为@Secured,如果控制器对安全上下文不可见,它们将如何处理?
So this works without problems, because the controllers must be defined in the spring-mvc-servlet.xml
, so they "see" the Spring Security stuff defined in applicationContext.xml
所以这没有问题,因为必须在
spring-mvc-servlet.xml
定义控制器,所以他们“看到” applicationContext.xml
定义的Spring Security内容。
Do I need to move my from the servlet.xml to the global applicationContext.xml?
我是否需要将我的servlet.xml移动到全局applicationContext.xml?
No 没有
Do I need additional configuration within the spring-mvc-servlet.xml to tell it to participate in Spring security?
我是否需要在spring-mvc-servlet.xml中进行其他配置以告诉它参与Spring安全性?
No 没有
... which leaves the spring-mvc-context.xml almost empty.
...使spring-mvc-context.xml几乎为空。 Is this common?
这是常见的吗?
The spring-mvc-context.xml
should contain every thing that is related to Web Stuff (except secrutiy). spring-mvc-context.xml
应该包含与Web Stuff相关的所有内容(secrutiy除外)。 So the common parts of the spring-mvc-context.xml
are component scan for @Controller
, some Interceptors ( mvc:interceptors
), mvc:resources
, mvc:default-servlet-handler
, mvc:view-controller
, ReloadableResourceBundleMessageSource
, CookieLocaleResolver
, .SimpleMappingExceptionResolver
... 因此,公用部分
spring-mvc-context.xml
是组分系统扫描@Controller
,一些拦截器( mvc:interceptors
), mvc:resources
, mvc:default-servlet-handler
, mvc:view-controller
, ReloadableResourceBundleMessageSource
, CookieLocaleResolver
, .SimpleMappingExceptionResolver
......
BTW: If you use component scan, then you need two of them, one at applicationContext.xml
to scan for @Service
@Repository
and @Component
(But not @Controller
) and a second in spring-mvc-context.xml
that only scan for @Controller
! 顺便说一句:如果你使用组件扫描,那么你需要其中两个,一个在
applicationContext.xml
上扫描@Service
@Repository
和@Component
(但不是@Controller
),另一个在spring-mvc-context.xml
中只扫描为@Controller
!
@See also this question: ContextLoaderListener or not? @See也有这个问题: ContextLoaderListener与否? It discuss the theme from an other point of view.
它从另一个角度讨论了这个主题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.