tomcat - 使用独立 Tomcat 的 Spring Boot 容器身份验证

Question

我有一个独立的 Tomcat 服务器，它应该运行我的 Spring Boot 应用程序(部署为 .war 文件)。此应用程序需要使用来自 Tomcat 的容器身份验证来保护。首先它应该在开发环境中使用tomcat-users.xml。在生产环境中，这个领域将被另一种身份验证方法取代。

我的配置:

@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.httpBasic().disable()
            .authorizeRequests()
                .antMatchers("/test/test2").permitAll()
                .anyRequest().authenticated()
            .and()
                .formLogin().permitAll()
            .and()
                .logout().permitAll()
            .and()
                .jee().mappableRoles("USER");
    }

}

Tomcat 用户:

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users xmlns="http://tomcat.apache.org/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd" version="1.0">
    <user username="testuser" password="pw" roles="user" />
</tomcat-users>

在安全页面上，表单登录显示如预期，但身份验证不起作用(您的登录尝试不成功，请重试。)。

配置中还缺少其他东西吗？

日志:

09:53:40 DEBUG o.s.security.web.FilterChainProxy        : /login at position 1 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
09:53:40 DEBUG o.s.security.web.FilterChainProxy        : /login at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
09:53:40 DEBUG w.c.HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
09:53:40 DEBUG w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@22ea93f6. A new one will be created.
09:53:40 DEBUG o.s.security.web.FilterChainProxy        : /login at position 3 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter'
09:53:40 DEBUG o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@738151d2
09:53:40 DEBUG o.s.security.web.FilterChainProxy        : /login at position 4 of 13 in additional filter chain; firing Filter: 'LogoutFilter'
09:53:40 DEBUG o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/logout', GET]
09:53:40 DEBUG o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'POST /login' doesn't match 'GET /logout
09:53:40 DEBUG o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/logout', POST]
09:53:40 DEBUG o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/login'; against '/logout'
09:53:40 DEBUG o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/logout', PUT]
09:53:40 DEBUG o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'POST /login' doesn't match 'PUT /logout
09:53:40 DEBUG o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/logout', DELETE]
09:53:40 DEBUG o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'POST /login' doesn't match 'DELETE /logout
09:53:40 DEBUG o.s.s.web.util.matcher.OrRequestMatcher  : No matches found
09:53:40 DEBUG o.s.security.web.FilterChainProxy        : /login at position 5 of 13 in additional filter chain; firing Filter: 'J2eePreAuthenticatedProcessingFilter'
09:53:40 DEBUG p.j.J2eePreAuthenticatedProcessingFilter : Checking secure context token: null
09:53:40 DEBUG p.j.J2eePreAuthenticatedProcessingFilter : PreAuthenticated J2EE principal: null
09:53:40 DEBUG p.j.J2eePreAuthenticatedProcessingFilter : No pre-authenticated principal found in request
09:53:40 DEBUG o.s.security.web.FilterChainProxy        : /login at position 6 of 13 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
09:53:40 DEBUG o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/login'; against '/login'
09:53:40 DEBUG w.a.UsernamePasswordAuthenticationFilter : Request is to process authentication
09:53:40 DEBUG o.s.s.authentication.ProviderManager     : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
09:53:40 DEBUG o.s.s.a.dao.DaoAuthenticationProvider    : User 'testuser' not found
09:53:40 DEBUG o.s.b.f.s.DefaultListableBeanFactory     : Returning cached instance of singleton bean 'delegatingApplicationListener'
09:53:40 DEBUG w.a.UsernamePasswordAuthenticationFilter : Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials

Answer 1

我找不到任何最终解决方案，但是 this hint helped me让它发挥作用。似乎至少需要一个 web.xml 来“激活”容器身份验证。然后 Spring Security 可以将其处理为预身份验证。

不幸的是，在此解决方案中，容器身份验证的权限(角色)不存在。因此，我不得不完全删除 Spring Security，只使用 web.xml(和 context.xml)。