当通过使用Flying Saucer(Itext)ReplacedElementFactory实现的过滤器调用Spring @Secured方法时不起作用

时间:2013-03-20 23:37:27

标签: spring security authentication filter itext

当我调用在@Service类上找到的Spring @Secured方法时,通过正常的@Controller类,验证工作正常。

当我通过IText PDF过滤器调用相同的方法时,使用org.xhtmlrenderer.extend.ReplacedElementFactory实现,我得到以下堆栈跟踪:

org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:325)
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:196)
    at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:64)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
    at org.springframework.aop.framework.Cglib2AopProxy$DynamicAdvisedInterceptor.intercept(Cglib2AopProxy.java:622)

安全性显然正在发挥作用,因为没有所需角色的用户会收到“拒绝访问权限”,而具有正确角色的其他用户则完全没有问题。

以下是我的web.xml的一个片段:

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
    <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter>
    <filter-name>pdfFilter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>pdfFilter</filter-name>
    <url-pattern>/reports/pdf/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

以下是ReplacedElementFactory实现的片段:

@Inject private ImageService imageService;

    @Override
    public ReplacedElement createReplacedElement(LayoutContext ctx, BlockBox box, UserAgentCallback uac, int width, int height) {

        Element el = box.getElement();
        if (el == null) {
            return null; 
        }

        String nodeName =  el.getNodeName();
        if (nodeName.equalsIgnoreCase("img")) {
            String srcAttr = el.getAttribute("src");
            FSImage fsImage;
            try {
                fsImage = getImage(srcAttr, uac);
            }catch(BadElementException ex) {
                fsImage = null;
            }catch(IOException ex) {
                fsImage = null;
            }catch(NullPointerException ex) {
                fsImage = null;
            }

            if (fsImage != null) {
                if (width != -1 || height != -1) {
                    fsImage.scale(width, height);
                }

                return new ITextImageElement(fsImage);
            }
        }

        return null;
    }

private FSImage getImage(String src, UserAgentCallback uac) throws IOException, BadElementException, NullPointerException {
        FSImage fsImage;

        String[] split = src.split("/");
        if (src.contains("image/person/")) {                
            Long id = Long.valueOf( split[split.length - 1] );
            Image img = imageService.getPersonImageByImageId(id);           
            fsImage = new ITextFSImage(com.lowagie.text.Image.getInstance(img.getImage()));

        return fsImage;
    }

这是我的ImageService类方法:

@Secured({"ROLE_MY_ROLE_READ"})
    public Image getPersonImageByImageId(Long imageId) {
        return imageDao.findOne(imageId);
    }

在调用映像服务方法时发生了故障,因为它是安全的并且ReplacedElementFactory实现无权访问安全上下文,但我如何进行身份验证?

我是新来的发帖,所以如果还有其他需要,请告诉我。

1 个答案:

答案 0 :(得分:0)

不确定您是如何配置安全性的。但如果您已经使用过,那么请检查过滤器的顺序。安全过滤器应该在您的pdffilter之前。

相关问题
最新问题