我正在使用 spring 安全性,我必须同时使用过滤器链和命名空间。命名空间工作正常,但过滤器链似乎没有!
这是我的配置。一、命名空间:
<sec:global-method-security secured-annotations="enabled" />
<sec:http pattern="/app/login.jsp*" security="none" />
<sec:http pattern="/admin/login.jsp*" security="none" />
<sec:http pattern="/app/*.png" security="none" />
<sec:http pattern="/admin/*.png" security="none" />
<sec:http pattern="/app/**" authentication-manager-ref="authenticationManager"
access-decision-manager-ref="accessDecisionManager">
<sec:intercept-url pattern="/app/**" access="ROLE_USER" />
<sec:access-denied-handler error-page="/app/login.jsp?aer=" />
<sec:form-login login-processing-url="/app/j_spring_security_check"
always-use-default-target="true" default-target-url="/app/index.html"
login-page='/app/login.jsp' authentication-failure-url='/app/login.jsp?login_error' />
<sec:logout logout-url="/app/j_spring_security_logout"
invalidate-session="true" logout-success-url="/app/login.jsp" />
</sec:http>
<sec:http pattern="/admin/**" authentication-manager-ref="authenticationManager"
access-decision-manager-ref="accessDecisionManager">
<sec:intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
<sec:access-denied-handler error-page="/admin/login.jsp?aer=" />
<sec:form-login login-processing-url="/admin/j_spring_security_check"
always-use-default-target="true" default-target-url="/admin/index.html"
login-page='/admin/login.jsp' authentication-failure-url='/admin/login.jsp?login_error' />
<sec:logout logout-url="/admin/j_spring_security_logout"
invalidate-session="true" logout-success-url="/admin/login.jsp" />
</sec:http>
这工作正常。但我还需要一个过滤器链来检查其他请求。 (这些请求是动态创建的,我们必须以这种方式控制它们)
这是我的过滤器链:
<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map path-type="ant">
<sec:filter-chain pattern="/css/**" filters="none" />
<sec:filter-chain pattern="/common/**" filters="none" />
<sec:filter-chain pattern="/images/**" filters="none" />
<sec:filter-chain pattern="/login.jsp*" filters="none" />
<sec:filter-chain pattern="/rest/**"
filters="
ConcurrentSessionFilter,
securityContextPersistenceFilter,
logoutFilter,
authenticationProcessingFilter,
sessionManagementFilter,
exceptionTranslationFilter,
filterSecurityInterceptor" />
</security:filter-chain-map>
</bean>
问题是,过滤器链不控制任何东西。我确信当不使用命名空间时过滤器链工作正常。但是当我添加命名空间时,问题就开始了。
为什么?我不能用那个吗?或者我可以,我必须改变什么?
更新:
这是我调用此资源时的调试日志:
/rest/asrv/gtallmmbrsofusrgrp
DEBUG AntPathRequestMatcher - Checking match of request : '/rest/asrv/gtallmmbrsofusrgrp'; against '/app/login.jsp*'
DEBUG AntPathRequestMatcher - Checking match of request : '/rest/asrv/gtallmmbrsofusrgrp'; against '/admin/login.jsp*'
DEBUG AntPathRequestMatcher - Checking match of request : '/rest/asrv/gtallmmbrsofusrgrp'; against '/app/*.png'
DEBUG AntPathRequestMatcher - Checking match of request : '/rest/asrv/gtallmmbrsofusrgrp'; against '/admin/*.png'
DEBUG AntPathRequestMatcher - Checking match of request : '/rest/asrv/gtallmmbrsofusrgrp'; against '/app/**'
DEBUG AntPathRequestMatcher - Checking match of request : '/rest/asrv/gtallmmbrsofusrgrp'; against '/admin/**'
DEBUG FilterChainProxy - /rest/asrv/gtallmmbrsofusrgrp has no matching filters
最佳答案
我认为您在 web.xml 中缺少 DelegatingFilterProxy 条目。但无论如何,
从 Spring 3.1 开始,FilterChainProxy 是使用 SecurityFilterChain 实例列表配置的,FilterChainMap 已弃用。因此,尝试以这种方式配置它:
<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<constructor-arg>
<list>
<sec:filter-chain pattern="/css/**" filters="none" />
<sec:filter-chain pattern="/common/**" filters="none" />
<sec:filter-chain pattern="/images/**" filters="none" />
<sec:filter-chain pattern="/login.jsp*" filters="none" />
<sec:filter-chain pattern="/rest/**"
filters="
ConcurrentSessionFilter,
securityContextPersistenceFilter,
logoutFilter,
authenticationProcessingFilter,
sessionManagementFilter,
exceptionTranslationFilter,
filterSecurityInterceptor" />
</list>
</constructor-arg>
</bean>
并将过滤器添加到您的 web.xml 中,如下所示:
<filter>
<filter-name>filterChainProxy</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>filterChainProxy</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
API Documentation
更新 1 :
要将日志记录添加到您的应用程序,只需将 log4j jar 放在路径上并在您的类路径下添加一个 log4j.properties 文件。
Log4j.properties:
log4j.rootCategory=INFO, stdout
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d{ISO8601} %-5p %c %M - %m\n
log4j.category.org.springframework.security=DEBUG
另见 logging using Log4j
更新 2 :它似乎对我有用,我在rest目录中放置了一个测试页面welcome.xhtml。调试日志如下:
2012-07-30 00:26:05,917 DEBUG org.springframework.security.web.util.AntPathRequestMatcher matches - Checking match of request : '/rest/welcome.xhtml'; against '/javax.faces.resource/**'
2012-07-30 00:26:05,923 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2012-07-30 00:26:05,923 DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository readSecurityContextFromSession - No HttpSession currently exists
2012-07-30 00:26:05,923 DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository loadContext - No SecurityContext was available from the HttpSession: null. A new one will be created.
2012-07-30 00:26:05,925 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 2 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2012-07-30 00:26:05,925 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 3 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2012-07-30 00:26:05,925 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 4 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2012-07-30 00:26:05,925 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 5 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2012-07-30 00:26:05,925 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 6 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2012-07-30 00:26:05,926 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 7 of 11 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
2012-07-30 00:26:05,926 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2012-07-30 00:26:05,928 DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter doFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2012-07-30 00:26:05,928 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2012-07-30 00:26:05,929 DEBUG org.springframework.security.web.session.SessionManagementFilter doFilter - Requested session IDD44EAA53A767F3DC9C7338D3CD335198 is invalid.
2012-07-30 00:26:05,929 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2012-07-30 00:26:05,929 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2012-07-30 00:26:05,929 DEBUG org.springframework.security.web.util.AntPathRequestMatcher matches - Checking match of request : '/rest/welcome.xhtml'; against '/login.xhtml'
2012-07-30 00:26:05,929 DEBUG org.springframework.security.web.util.AntPathRequestMatcher matches - Checking match of request : '/rest/welcome.xhtml'; against '/*'
2012-07-30 00:26:05,929 DEBUG org.springframework.security.web.util.AntPathRequestMatcher matches - Checking match of request : '/rest/welcome.xhtml'; against '/admin/**'
2012-07-30 00:26:05,930 DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor beforeInvocation - Public object - authentication not attempted
2012-07-30 00:26:05,932 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml reached end of additional filter chain; proceeding with original chain
2012-07-30 00:26:06,229 DEBUG org.springframework.security.web.access.ExceptionTranslationFilter doFilter - Chain processed normally
我认为是您拥有的两个表单登录导致了问题。尝试只有一个登录表单,然后根据角色控制导航。例如,请参阅此问题:Can i use one Login page to redirect different page with Spring 3.0 Security..?
关于Spring Security - 我可以同时使用命名空间和过滤器链吗?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/11609070/