您好,我需要拥有使用 Spring Security 处理的静态资源,并且我仍希望将其保持静态,因为它没有使用 DispatcherServlet
处理。 。我为非安全资源保留了一个文件夹,为安全资源保留了一个文件夹。在排除 /res/secured
之前我无法完成这项工作来自资源处理程序。但如果我这样做,安全资源将通过 DispatcherServlet
进行处理。我认为这是不对的(也许我错了?->发布解释或链接)。
我的配置:
/*--- Directories structure ---*/
res
|-- nonsecured
|-- secured
/*--- /Directories structure ---*/
/*--- WebApplicationInitializer ---*/
Dynamic portalSecurityFilter = servletContext.addFilter("portalSecurityFilter", new PortalSecurityFilter());
portalSecurityFilter.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), false, "/*");
// Spring Security filtr
Dynamic securityFilter = servletContext.addFilter("springSecurityFilterChain", DelegatingFilterProxy.class);
securityFilter.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), false, "/*");
CharacterEncodingFilter characterEncodingFilter = new CharacterEncodingFilter();
characterEncodingFilter.setEncoding("UTF-8");
Dynamic dynamicCharacterEncodingFilter = servletContext.addFilter("characterEncodingFilter", characterEncodingFilter);
dynamicCharacterEncodingFilter.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), false, "/*");
Dynamic ajaxFilter = servletContext.addFilter("ajaxFilter", new AjaxFilter());
ajaxFilter.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), false, "/*");
// Root context
AnnotationConfigWebApplicationContext rootContext = new AnnotationConfigWebApplicationContext();
rootContext.register(WebConfig.class);
// Dispatcher servlet
ServletRegistration.Dynamic dispatcherServlet = servletContext.addServlet("dispatcherServlet", new DispatcherServlet(rootContext));
dispatcherServlet.setLoadOnStartup(1);
dispatcherServlet.addMapping("/");
servletContext.addListener(new ContextLoaderListener(rootContext));
/*--- /WebApplicationInitializer ---*/
/*--- Web configuration part ---*/
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
super.addResourceHandlers(registry);
registry.addResourceHandler("/res/**").addResourceLocations("/WEB-INF/res/");
}
/*--- /Web configuration part ---*/
/*--- Spring Security confogiration part ---*/
<http pattern="/res/unsecured/**" security="none" />
<http pattern="/**" use-expressions="true" authentication-manager-ref="myAuthenticationManager">
<intercept-url pattern="/res/secured/**" access="hasRole('ROLE_USER_AUTHENTICATED')" />
<intercept-url pattern="/**" access="permitAll" />
</http>
/*--- /Spring Security confogiration part ---*/
感谢您的回答。
编辑
As I playing around it seems to me that
<http pattern="/res/unsecured/**" security="none" />
part in security configuration is pointless because resources served by resource handler don't go through Spring Security filter chain. Am I missing something or is my configuration wrong?
最佳答案
我必须承认这是我的耻辱。 Spring Security 按预期工作,并且上述配置运行良好。我的问题是浏览器缓存了静态资源(即 PDF 文件),但我只是没有注意到它。如果您遇到同样的问题,请尝试进行硬刷新,然后再花时间寻找问题:)
关于java - 使用 Spring Security 处理静态资源,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/14159824/