Glassfish 3上的Spring 2安全性在表单验证后显示基本身份验证

时间:2012-09-10 18:20:00

标签: spring spring-security glassfish-3

我们正在尝试将现有的基于Spring 2.5的应用程序升级到Glassfish 3.1.2.2。

此应用程序在具有Spring 2安全性的Glassfish 2.1上运行良好。我们正在使用我们的自定义身份验证设置。

该应用程序在GF3上部署得很好。当我们尝试登录到应用程序时,会显示基于自定义表单的身份验证页面。提供凭据后,我们将获得使用GF3服务器文件域的基本身份验证弹出窗口。

我们已经尝试过这些选项并且无效

  • This SO Thread没有回答

  • 将Spring版本升级到最新版本2.5.6.SEC03 - 这仍然显示相同的问题

升级到Spring 3不是我们的选择,因为我们遇到了一些在Spring 2上具有编译时依赖性的第三方供应商库。

我们已经得到了甲骨文的支持,结果证明它们没用(总是他们的支持令人失望)

您是否了解这种情况的解决方法?

以下是我们在web.xml中的安全配置代码

 <filter>
  <filter-name>springSecurityFilterChain</filter-name>
  <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
 </filter>
 <filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
 </filter-mapping>
  <security-constraint>
   <web-resource-collection>
    <web-resource-name>app</web-resource-name>
    <url-pattern>/app/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
   </web-resource-collection>
 </security-constraint>

下面是spring beans.xml中的安全配置代码

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">

<http
    access-decision-manager-ref="accessDecisionManager" auto-config="false" realm="SPRING"
    session-fixation-protection="none"
    servlet-api-provision="true"
    entry-point-ref="authEntryPoint"
    >
    <intercept-url pattern="/Login*" filters="none"/>
    <intercept-url pattern="/styles.css" filters="none"/>
    <intercept-url pattern="/images/**" filters="none"/>
    <intercept-url pattern="/**.js" filters="none"/>        
    <intercept-url pattern="/**.html" access="users"/>
    <intercept-url pattern="/**.htmlx" access="users"/>

</http>

<authentication-manager alias="authenticationManager"/>
<!--  Override of default auth processing filter, to allow custom actions on login
    that have access to servlet stuff. This allows access to Tapestry-specifics, for
    doing things like creating the custom visit ASO. -->
<beans:bean id="customAuthFilter" class="com.mycomp.core.security.TapestryIntegrationFilter">
    <custom-filter position="AUTHENTICATION_PROCESSING_FILTER"/>
    <beans:property name="defaultTargetUrl" value="/Home.html"/>
    <beans:property name="filterProcessesUrl" value="/j_security_check"/>
    <beans:property name="authenticationFailureUrl" value="/Login.html"/>
    <beans:property name="authenticationManager" ref="authenticationManager"/>
</beans:bean>
<!-- When using a custom auth filter, you need a custom auth entry point, because you
    can't configure this using the "form-login" element under the "http" element. -->
<beans:bean id="authEntryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
    <beans:property name="loginFormUrl" value="/Login.html"/>
</beans:bean>

<!-- This, unfortunately, has to be defined to allow us to remove the "ROLE_" prefix from
    rolenames, by defining a roleVoter with an empty prefix. To wire in the voter, you
    have to define the access decision manager. -->
<beans:bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
    <beans:property name="decisionVoters">
        <beans:list>
            <beans:bean id="roleVoter" class="org.springframework.security.vote.RoleVoter">
                <beans:property name="rolePrefix" value=""/>
            </beans:bean>
            <beans:bean id="authenticatedVoter" class="org.springframework.security.vote.AuthenticatedVoter"/>
        </beans:list>
    </beans:property>
</beans:bean>

<!-- PIMA-specific authorization provider. It gets plugged into the framework by using the
    custom-authentication-provider element. -->
<beans:bean id="pscAuthenticationProvider" class="com.myapp.core.security.CustomAuthenticationProvider">
    <beans:property name="customUserDao" ref="customUserDao"/>
    <beans:property name="passwordUtility" ref="passwordUtility"/>
    <beans:property name="transactionManager" ref="transactionManager"/>
    <custom-authentication-provider/>
</beans:bean>

<beans:bean id="passwordUtility" class="com.myapp.core.security.PasswordUtility">
    <!-- Comment/uncomment to toggle password encoding off/on -->
    <beans:property name="saltSource">
        <beans:bean class="org.springframework.security.providers.dao.salt.SystemWideSaltSource">
            <beans:property name="systemWideSalt" value="somegoodsalt"/>
        </beans:bean>
    </beans:property>
    <beans:property name="passwordEncoder">
        <beans:bean class="org.springframework.security.providers.encoding.Md5PasswordEncoder"/>
    </beans:property>
    <!--        -->
</beans:bean>

<beans:bean id="securityService" class="com.scea.core.security.SecurityService">
    <beans:property name="passwordUtility" ref="passwordUtility"/>
</beans:bean>

0 个答案:

没有答案
相关问题
最新问题