我正在使用Spring创建一个网站,并希望文件夹“/ admin”下的所有页面都是安全的。然而,真的不知道从哪里开始,只有一个复杂的例子继续下去。
在工作中,我们将细节存储在数据库中,但我希望它可以比这更简单,可能存储在context.xml或其他东西中?我遇到了这个页面:
的web.xml:
<security-constraint>
<display-name>admin pages</display-name>
<web-resource-collection>
<web-resource-name>Administration Pages</web-resource-name>
<description/>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>userAdmin</role-name>
</auth-constraint>
<!-- <user-data-constraint>
<description/>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>-->
</security-constraint>
在tomcat-users.xml中我有以下密码信息:
<user password="password" roles="tomcat,role1,manager-script,manager-gui,admin,manager" username="user"/>
但是当我尝试访问页面/admin/adminindex.htm时,我收到了一个禁止的错误:
禁止访问指定的资源(已拒绝访问所请求的资源)。
理想情况下,我想将用户详细信息存储在数据库中,但目前无法继续使用。
答案 0 :(得分:2)
我会调查Spring Security,它为保护网站提供了大量选项(包括数据库支持或JNDI支持的安全性)。 tutorial可能是一个很好的起点。
答案 1 :(得分:0)
This is how I secure applications using Spring Security, here is the web.xml
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-servlet.xml
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring-servlet.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>/myapp/*</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
spring-security.xml
<security:http auto-config="true" use-expressions="true" access-denied-page="/" create-session="never" disable-url-rewriting="true">
<security:intercept-url pattern="/myapp/auth/login" access="permitAll" />
<security:intercept-url pattern="/myapp/main/**" access="hasRole('ROLE_USER')" />
<security:form-login login-page="/" authentication-failure-url="/myapp/auth/login?error=true" default-target-url="/myapp/main/default"/>
<security:logout invalidate-session="true" logout-success-url="/myapp/auth/login" logout-url="/myapp/auth/logout" />
</security:http>
In order to authenticate using a Database you can use an Authentication Manager like this in spring-security.xml
<security:authentication-manager>
<security:authentication-provider user-service-ref="userService">
<security:password-encoder ref="passwordEncoder" />
</security:authentication-provider>
</security:authentication-manager>
Where "userService" is a service you define that has access to the Database, your service must implement org.springframework.security.core.userdetails.UserDetailsService and write the method
public UserDetails loadUserByUsername(String userName)
throws UsernameNotFoundException, DataAccessException {
UserDetails user = null;
try {
// Replace loadUserFromDB with your Data access method to pull the user and encrypted password from the database
Users u = loadUserFromDB(userName);
if(u != null)
user = new User(u.getEmail(), u.getPassword().toLowerCase(), true, true, true, true, getAuthorities(0));
} catch (Exception e) {
e.printStackTrace();
}
return user;
}
Spring security will use this method to secure your pages. Make sure to include this method:
public Collection<GrantedAuthority> getAuthorities(Integer access) {
// Create a list of grants for this user
List<GrantedAuthority> authList = new ArrayList<GrantedAuthority>(1);
authList.add(new GrantedAuthorityImpl("ROLE_USER"));
authList.add(new GrantedAuthorityImpl("ROLE_ANONYMOUS"));
return authList;
}
答案 2 :(得分:0)
我将从这开始:
http://docs.spring.io/autorepo/docs/spring-security/3.0.x/reference/springsecurity.html
您还可以查看已经具有开始使用Spring Security的基本代码的项目。 />
https://github.com/pgardunoc/spring-security