spring - 在 google app engine 上实现 spring security

Question

我正在尝试将 Spring Security 集成到 Google App Engine 上。但它不能正常工作。我希望在用户尝试访问 index 页面时对用户进行身份验证，并将他们重定向到 login 页面。但是现在我可以直接访问 index 页面了。

我关注了spring.io网站教程和mkyong教程。

这是我的 pom.xml 依赖项的一部分

<dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-context</artifactId>
            <version>4.1.5.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.webflow</groupId>
            <artifactId>spring-webflow</artifactId>
            <version>2.4.0.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-web</artifactId>
            <version>3.2.6.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
            <version>3.2.6.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>jstl</groupId>
            <artifactId>jstl</artifactId>
            <version>1.2</version>
        </dependency>

AppConfig 类

@EnableWebMvc
@Configuration
//@ComponentScan({ "com.example.web.*" })
@ComponentScan({ "com.example.web" })
@Import({ SecurityConfig.class })
public class AppConfig {
    @Bean
    public InternalResourceViewResolver viewResolver() {
        InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
        viewResolver.setViewClass(JstlView.class);
        viewResolver.setPrefix("/WEB-INF/jsp/");
        viewResolver.setSuffix(".jsp");
        return viewResolver;
    }
}

SecurityConfig 类

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth)
            throws Exception {
        auth.inMemoryAuthentication().withUser("user").password("password")
                .roles("USER");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().authenticated().and().formLogin()
                .loginPage("/account/login");
    }
}

SecurityWebApplicationInitializer 类

public class SecurityWebApplicationInitializer extends
        AbstractSecurityWebApplicationInitializer {
}

WebApplicationInitializer 类

public class WebApplicationInitializer extends
        AbstractAnnotationConfigDispatcherServletInitializer {
    @Override
    protected Class<?>[] getRootConfigClasses() {
        return new Class[] { AppConfig.class };
    }

    @Override
    protected Class<?>[] getServletConfigClasses() {
        return null;
    }

    @Override
    protected String[] getServletMappings() {
        return new String[] { "/" };
    }
}

AccountController 类

@Controller
@RequestMapping("/account")
public class AccountController {

    @RequestMapping(value = "/login", method = RequestMethod.GET)
    public String Index(Model model) {

        return "login";
    }
}

HomeController 类

@ Controller @RequestMapping("/") 公共(public)类 HomeController {

@RequestMapping(method = RequestMethod.GET)
public String Index(Model model) {

    model.addAttribute("x", 1);
    model.addAttribute("y", 2);
    model.addAttribute("z", 3);

    return "index";
}

index.jsp页面

<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%@page session="true"%>
<!DOCTYPE html>
.....

login.jsp页面

<%@page session="false"%>
<!DOCTYPE html>

我现在想要实现的是将未经身份验证的用户重定向到登录页面。 但是现在不行了，我可以直接访问首页。

Answer 1

WebApplicationInitializer 需要 Servlet 3.0，但 Appengine 仅支持 Servlet 2.5。所以你必须使用基于纯 XML 的配置，至少在初始化时是这样。并在 web.xml 中手动配置 Spring filter/servlet。

你需要在web.xml中放入:

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/spring-security.xml</param-value>
</context-param>
<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<servlet>
    <servlet-name>spring-dispatcher</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
    <init-param>
        <param-name>contextClass</param-name>
        <param-value>org.springframework.web.context.support.AnnotationConfigWebApplicationContext</param-value>
    </init-param>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>path.to.AppConfig</param-value>
    </init-param>
</servlet>
<servlet-mapping>
    <servlet-name>spring-dispatcher</servlet-name>
    <url-pattern>/*</url-pattern>
</servlet-mapping>

并进入 spring-security.xml:

<context:annotation-config/>
<beans:bean class="path.to.SecurityConfig"/>

基本上它都是 servlet 3.0 之前的标准内容，您可以使用任何基于 servlet 2.4 或 2.5 的教程(或旧文档)，它可以在 Appengine 上运行。

请注意，您也可以在 https://code.google.com/p/googleappengine/issues/detail?id=3091 投票支持 Servlet 3.0。