我有一个部署在 google appengine 上的网络应用程序。我相信这个问题与 GAE 无关,但我缺少一些东西......
基本上,我想强制用户进行身份验证,以便查看/使用 /secured
目录下的任何内容。我的 HTML 页面位于该目录下,但用户可以轻松导航到该页面(无需经过身份验证)。如何使用 SS 保护它?
我的配置 - web.xml:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>contextAttribute</param-name>
<param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.spring</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- to integrate Spring with AppEngine project -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring-servlet.xml</param-value>
</context-param>
<!-- if we work with Spring-security, we already have a listener -->
<!-- listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener-->
<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
spring-servlet.xml:
<context:annotation-config />
<context:property-placeholder location="classpath:client.properties" />
<context:component-scan base-package="com.nice.coffee" />
<context:component-scan base-package="com.ohadr.auth_flows" />
<context:component-scan base-package="com.ohadr.crypto" />
<mvc:annotation-driven />
<mvc:default-servlet-handler />
<!-- dont use debug! https://jira.spring.io/browse/SEC-1885 >
<sec:debug />
-->
<mvc:resources mapping="/secured/**" location="/secured/" />
<sec:http pattern="/login/**" security="none" />
<sec:http pattern="/forgotPasswordPage" security="none" />
<sec:http pattern="/forgotPassword" security="none" />
<sec:http pattern="/createAccountPage" security="none" />
<sec:http pattern="/createAccount" security="none" />
<sec:http authentication-manager-ref="authenticationManager">
<sec:intercept-url pattern="/**/ohad.html" access="ROLE_ADMIN" />
<sec:intercept-url pattern="/secured/**" access="ROLE_USER" />
<sec:anonymous />
<sec:form-login login-page="/login/login.htm"
authentication-success-handler-ref="authenticationSuccessHandler"
authentication-failure-handler-ref="authenticationFailureHandler" />
</sec:http>
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider
user-service-ref="userDetailsService">
<sec:password-encoder hash="sha-256">
<sec:salt-source user-property="username" />
</sec:password-encoder>
</sec:authentication-provider>
</sec:authentication-manager>...
我的项目层次结构:
...提前致谢!
最佳答案
而不是将 protected 页面放在 src/main/webapp/secured
下,直接提供服务,将它们放入src/main/resources/secured
,并将您的资源声明更改为
<mvc:resources mapping="/secured/**" location="classpath:/secured/" />
关于java - 无法使用 Spring-Security 保护 HTML 文件,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/23448255/