使用spring安全性处理静态资源

时间:2013-01-04 15:17:45

标签: java spring spring-security static-resource

您好我需要使用Spring Security处理的静态资源,我希望它仍然保持静态,意思是它不用DispatcherServlet处理。我有一个文件夹保留用于非安全资源,一个文件夹用于安全资源。在从资源处理程序中排除/res/secured之前,我无法完成这项工作。但是,如果我这样做,安全资源是用DispatcherServlet处理的,我认为这是不对的(也许我错了? - >发布解释或链接)。

我的配置:

/*--- Directories structure ---*/
res
|-- nonsecured
|-- secured
/*--- /Directories structure ---*/

/*--- WebApplicationInitializer ---*/
Dynamic portalSecurityFilter = servletContext.addFilter("portalSecurityFilter", new PortalSecurityFilter());
portalSecurityFilter.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), false, "/*");

// Spring Security filtr
Dynamic securityFilter = servletContext.addFilter("springSecurityFilterChain", DelegatingFilterProxy.class);
securityFilter.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), false, "/*");

CharacterEncodingFilter characterEncodingFilter = new CharacterEncodingFilter();
characterEncodingFilter.setEncoding("UTF-8");

Dynamic dynamicCharacterEncodingFilter = servletContext.addFilter("characterEncodingFilter", characterEncodingFilter);
dynamicCharacterEncodingFilter.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), false, "/*");

Dynamic ajaxFilter = servletContext.addFilter("ajaxFilter", new AjaxFilter());
ajaxFilter.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), false, "/*");

// Root context
AnnotationConfigWebApplicationContext rootContext = new AnnotationConfigWebApplicationContext();
rootContext.register(WebConfig.class);

// Dispatcher servlet
ServletRegistration.Dynamic dispatcherServlet = servletContext.addServlet("dispatcherServlet", new DispatcherServlet(rootContext));
dispatcherServlet.setLoadOnStartup(1);
dispatcherServlet.addMapping("/");

servletContext.addListener(new ContextLoaderListener(rootContext));
/*--- /WebApplicationInitializer ---*/

/*--- Web configuration part ---*/
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
    super.addResourceHandlers(registry);
    registry.addResourceHandler("/res/**").addResourceLocations("/WEB-INF/res/");
}
/*--- /Web configuration part ---*/

/*--- Spring Security confogiration part ---*/
<http pattern="/res/unsecured/**" security="none" />

<http pattern="/**" use-expressions="true" authentication-manager-ref="myAuthenticationManager">

    <intercept-url pattern="/res/secured/**" access="hasRole('ROLE_USER_AUTHENTICATED')" />
    <intercept-url pattern="/**" access="permitAll" />
</http>
/*--- /Spring Security confogiration part ---*/

感谢您的回答。

修改

  

在我玩的时候,我觉得<http pattern="/res/unsecured/**" security="none" />在安全方面有所作为   配置是没有意义的,因为资源服务的资源   处理程序不要通过Spring Security过滤器链。我错过了吗   什么东西或我的配置错了?

1 个答案:

答案 0 :(得分:2)

我必须管理这是我的耻辱。 Spring Security按预期工作,上面的配置运行良好。我的问题是浏览器缓存了静态资源(即PDF文件),我只是没注意到它。如果您遇到同样的问题,请先尝试进行硬刷新,然后再花时间搜索问题:)

相关问题
最新问题