试图在struts2上应用Spring安全性,但它不起作用

时间:2013-02-15 04:16:47

标签: java struts2 spring-security

我有以下代码在struts2上应用Spring安全性,但它允许用户查看安全页面,虽然我没有实现数据源部分(因为我不知道如何)但我不希望它启用未经授权的用户打开页面。

Web.xml 

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/spring/*-context.xml
        </param-value>
    </context-param>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>
            org.springframework.web.filter.DelegatingFilterProxy
        </filter-class>
    </filter>


    <context-param>
        <param-name>org.apache.tiles.impl.BasicTilesContainer.DEFINITIONS_CONFIG</param-name>
        <param-value>/WEB-INF/tiles.xml</param-value>
    </context-param>
    <listener>
        <listener-class>org.apache.struts2.tiles.StrutsTilesListener</listener-class>
    </listener>
    <filter>
        <filter-name>struts2</filter-name>
        <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>struts2</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>
    <welcome-file-list>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>
</web-app>

我的jsp 

<%@taglib uri="/struts-tags" prefix="s"%>
    <sec:authorize ifAllGranted="ROLE_ADMIN">
        <a href="<s:url namespace ="/Profile" action="view.action"/>" >Profile</a>
    </sec:authorize>

我的安全方法

import org.apache.struts2.convention.annotation.Action;
import org.springframework.security.access.annotation.Secured;

@Action
public class Profile{

    @Secured ({"ROLE_ADMIN"})
    public String view(){
        System.out.println("view");
        return "View"; 
    }

安全-context.xml中

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.springframework.org/schema/security
                           http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <security:global-method-security secured-annotations="enabled" />

    <security:http auto-config="true">
        <!-- Restrict URLs based on role -->
        <security:intercept-url pattern="/index*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/logoutSuccess*" access="IS_AUTHENTICATED_ANONYMOUSLY" />

        <security:intercept-url pattern="/css/main.css" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />

        <security:intercept-url pattern="/**" access="ROLE_USER" />

        <!-- Override default login and logout pages -->
        <security:form-login login-page="/login.html" 
                             login-processing-url="/loginProcess" 
                             default-target-url="/index.jsp" 
                             authentication-failure-url="/login.html?login_error=1" />
        <security:logout logout-url="/logout" logout-success-url="/logoutSuccess.html" />
    </security:http>

    <security:authentication-manager>
        <security:authentication-provider >
            <security:jdbc-user-service data-source-ref="dataSource" />
        </security:authentication-provider>
    </security:authentication-manager>

</beans>

1 个答案:

答案 0 :(得分:1)

为了通过URL保护您的struts应用程序,您需要确保在struts2之前具有for springSecurityFilterChain。您发布的配置似乎根本没有springSecurityFilterChain。简而言之,按如下方式更新配置:

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>
        org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
</filter>
<filter>
    <filter-name>struts2</filter-name>
    <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
</filter>
<!-- The order of filter-mapping is important springSecurityFilterChain should be first! -->
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
    <filter-name>struts2</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

以上设置将使用基于URL的安全性保护您的应用程序。但是,为了使用基于方法的安全性来保护应用程序,您需要确保允许Spring创建使用@Secured注释的对象。为此,请确保您已按照参考中提供的integrating Spring and Struts上的说明进行操作。

相关问题
最新问题