java - Spring MVC + Spring Security + JPA 返回 Null ModelAndView 并且不会进行身份验证

Question

如上所述，我在 spring MVC 中有一个 web 应用程序，其中以下正在工作:

• 虚拟页面中的“玩具”版本身份验证，没有 js/img/css/png 资源
• Controller 中的 URL 映射。因此: http://myhost/myapp/login 和 http://myhost/myapp/homepage/* 都提供一个页面
• Hibernate/JPA 集成
• 简而言之，除了在包含 Assets 的全功能登录页面中，即使我输入正确的用户名/密码组合，身份验证也会被拒绝并重定向到身份验证失败 URL。

(Spring 3.2，Spring Security 3.1.3。我现在使用基于 XML 的身份验证 - 见下文 - 所以与 Hibernate/JPA 部分无关，我认为这完全是我如何设置的问题 Spring )

我的问题有两个:

• .png 文件在 servlet 处理时是否触发身份验证调用？在这种情况下，我该如何过滤掉它呢？ (.jpg .js .css 默认情况下会被忽略为“公共(public)对象”，因此不会经过安全筛选？
• 现在安全性已经加强，配置文件(复制如下)是否有什么奇怪的地方？

我怀疑服务器日志中的以下几行是相关的:

调试.log

09:29:52,516 DEBUG DispatcherServlet:999 - Null ModelAndView returned to DispatcherServlet with name 'mvc-dispatcher': assuming HandlerAdapter completed request handling
09:29:52,517 DEBUG DispatcherServlet:946 - Successfully completed request
09:29:52,517 DEBUG ExceptionTranslationFilter:115 - Chain processed normally
09:29:52,517 DEBUG HttpSessionSecurityContextRepository:269 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
09:29:52,517 DEBUG SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed
09:29:52,983 DEBUG FilterChainProxy:337 - /resources/bootstrap/img/glyphicons-halflings.png at position 1 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
09:29:52,983 DEBUG HttpSessionSecurityContextRepository:139 - HttpSession returned null object for SPRING_SECURITY_CONTEXT
09:29:52,983 DEBUG HttpSessionSecurityContextRepository:85 - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@104ce68. A new one will be created.
09:29:52,983 DEBUG FilterChainProxy:337 - /resources/bootstrap/img/glyphicons-halflings.png at position 2 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
09:29:52,984 DEBUG FilterChainProxy:337 - /resources/bootstrap/img/glyphicons-halflings.png at position 3 of 10 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
09:29:52,984 DEBUG FilterChainProxy:337 - /resources/bootstrap/img/glyphicons-halflings.png at position 4 of 10 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
09:29:52,984 DEBUG FilterChainProxy:337 - /resources/bootstrap/img/glyphicons-halflings.png at position 5 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
09:29:52,984 DEBUG FilterChainProxy:337 - /resources/bootstrap/img/glyphicons-halflings.png at position 6 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
09:29:52,984 DEBUG FilterChainProxy:337 - /resources/bootstrap/img/glyphicons-halflings.png at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
09:29:52,985 DEBUG AnonymousAuthenticationFilter:102 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@905571d8: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 127.0.0.1; SessionId: 2AE4A610A87DADA1FC2D3EC33BAC5176; Granted Authorities: ROLE_ANONYMOUS'

09:29:52,990 DEBUG DispatcherServlet:999 - Null ModelAndView returned to DispatcherServlet with name 'mvc-dispatcher': assuming HandlerAdapter completed request handling
09:29:52,991 DEBUG DispatcherServlet:946 - Successfully completed request
09:29:52,991 DEBUG ExceptionTranslationFilter:115 - Chain processed normally
09:29:52,991 DEBUG HttpSessionSecurityContextRepository:269 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
09:29:52,991 DEBUG SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed   

目前我正在使用简单的、基于 XML 的身份验证，如下所示:

安全上下文.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<http auto-config="true">
    <intercept-url pattern="/homepage*" access="ROLE_USER" />
    <!-- custom securiy URL mappings -->
    <form-login login-page="/login" default-target-url="/homepage/main"
        authentication-failure-url="/loginfailed" />
    <logout logout-success-url="/logout" />     
</http>

<authentication-manager>
  <authentication-provider>
    <user-service>
    <user name="user" password="pass" authorities="ROLE_USER" />
    </user-service>
  </authentication-provider>
</authentication-manager>

</beans:beans>

其他相关配置文件:

mvc-dispatcher-servlet.xml

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="
    http://www.springframework.org/schema/beans     
    http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
    http://www.springframework.org/schema/context 
    http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd">

<context:component-scan base-package="com.blah.blah.controller" />
<!-- URI mapping for static content -->
<mvc:resources mapping="/resources/**" location="/resources/" />
<bean
  class="org.springframework.web.servlet.view.InternalResourceViewResolver" id="viewResolver">
  <property name="prefix">
    <value>/WEB-INF/views/</value>
  </property>
  <property name="suffix">
    <value>.jsp</value>
  </property>
</bean>

 <!-- also add the following beans to get rid of some exceptions -->
 <bean class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter" />
 <bean class="org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping" />
</beans>

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app
    xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
                        http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    id="yourpackagename.yourwebproject" version="2.5">
<display-name>my web project</display-name>

<!-- Spring Framework Configuration -->
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>       
        classpath:application-context.xml,
        /WEB-INF/spring-security.xml
    </param-value>
</context-param>

<!-- Spring Security -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>
      org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>


<!-- Servlet Configurations -->
<!-- Web App Dispatcher -->
<!-- Spring MVC -->
<servlet>
    <servlet-name>mvc-dispatcher</servlet-name>
    <servlet-class>
                org.springframework.web.servlet.DispatcherServlet
            </servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>mvc-dispatcher</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

<!-- Mentioning the Context Loader Listener class of Spring Framework as a listener -->
<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<!-- Filter Configurations -->
<!-- UTF-8 encoding filter -->
<filter>
    <filter-name>encodingFilter</filter-name>
    <filter-class>
        org.springframework.web.filter.CharacterEncodingFilter
    </filter-class>
    <init-param>
        <param-name>encoding</param-name>
        <param-value>UTF-8</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>encodingFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<!-- logging -->
<context-param>
    <param-name>log4jConfigLocation</param-name>
    <param-value>/WEB-INF/classes/log4j.properties</param-value>
</context-param>
<listener>
    <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
</listener>

</web-app>

Answer 1

由于 spring 过滤器适用于所有请求，因此对于 png 图像也是如此。对于第一个问题，你可以用这样的行过滤 png's

<intercept-url pattern="/**/*.png" access="ROLE_ANONYMOUS" />

或者如果您决定使用带有

的访问表达式

<intercept-url pattern="/**/*.png" access="true" />

但是从您的配置文件来看，无论如何都应该是这样。

另一种方法是:

<http pattern="/**/*.png" security="none"/>