在Spring中创建安全页面

时间:2013-02-16 17:34:23

标签: spring

我正在使用Spring创建一个网站,并希望文件夹“/ admin”下的所有页面都是安全的。然而,真的不知道从哪里开始,只有一个复杂的例子继续下去。

在工作中,我们将细节存储在数据库中,但我希望它可以比这更简单,可能存储在context.xml或其他东西中?我遇到了这个页面:

enter image description here

的web.xml:

    <security-constraint>
    <display-name>admin pages</display-name>
    <web-resource-collection>
        <web-resource-name>Administration Pages</web-resource-name>
        <description/>
        <url-pattern>/admin/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>userAdmin</role-name>
    </auth-constraint>
    <!--  <user-data-constraint>
        <description/>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>-->
</security-constraint>

在tomcat-users.xml中我有以下密码信息:

<user password="password" roles="tomcat,role1,manager-script,manager-gui,admin,manager" username="user"/>

但是当我尝试访问页面/admin/adminindex.htm时,我收到了一个禁止的错误:

  

禁止访问指定的资源(已拒绝访问所请求的资源)。

理想情况下,我想将用户详细信息存储在数据库中,但目前无法继续使用。

3 个答案:

答案 0 :(得分:2)

我会调查Spring Security,它为保护网站提供了大量选项(包括数据库支持或JNDI支持的安全性)。 tutorial可能是一个很好的起点。

答案 1 :(得分:0)

This is how I secure applications using Spring Security, here is the web.xml

<filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/spring-servlet.xml
            /WEB-INF/spring-security.xml
        </param-value>
    </context-param>


    <servlet>
        <servlet-name>spring</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>/WEB-INF/spring-servlet.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>spring</servlet-name>
        <url-pattern>/myapp/*</url-pattern>
    </servlet-mapping>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>



spring-security.xml


     <security:http auto-config="true" use-expressions="true" access-denied-page="/" create-session="never" disable-url-rewriting="true">

    <security:intercept-url pattern="/myapp/auth/login" access="permitAll" />
    <security:intercept-url pattern="/myapp/main/**"  access="hasRole('ROLE_USER')" />

    <security:form-login login-page="/" authentication-failure-url="/myapp/auth/login?error=true" default-target-url="/myapp/main/default"/>
    <security:logout invalidate-session="true" logout-success-url="/myapp/auth/login" logout-url="/myapp/auth/logout" />

</security:http>


In order to authenticate using a Database you can use an Authentication Manager like this in spring-security.xml



 <security:authentication-manager>
        <security:authentication-provider user-service-ref="userService">
            <security:password-encoder ref="passwordEncoder" />
        </security:authentication-provider>
    </security:authentication-manager>

Where "userService" is a service you define that has access to the Database, your service must implement org.springframework.security.core.userdetails.UserDetailsService and write the method 


 public UserDetails loadUserByUsername(String userName)
        throws UsernameNotFoundException, DataAccessException {
    UserDetails user = null;
    try {
        // Replace loadUserFromDB with your Data access method to pull the user and encrypted password from the database
        Users u = loadUserFromDB(userName);
        if(u != null)
            user = new User(u.getEmail(), u.getPassword().toLowerCase(), true, true, true, true, getAuthorities(0));
    } catch (Exception e) {
        e.printStackTrace();
    }
    return user;
 }


Spring security will use this method to secure your pages. Make sure to include this method:


    public Collection<GrantedAuthority> getAuthorities(Integer access) {
    // Create a list of grants for this user
    List<GrantedAuthority> authList = new ArrayList<GrantedAuthority>(1);
    authList.add(new GrantedAuthorityImpl("ROLE_USER"));
    authList.add(new GrantedAuthorityImpl("ROLE_ANONYMOUS"));
    return authList;
    }

答案 2 :(得分:0)

我将从这开始:

http://docs.spring.io/autorepo/docs/spring-security/3.0.x/reference/springsecurity.html
您还可以查看已经具有开始使用Spring Security的基本代码的项目。 /> https://github.com/pgardunoc/spring-security