Spring Security 3.1.4 taglib authorize / authentication与Tomcat 7上的JSF 2.2中的角色层次结构无关

时间:2013-10-15 17:21:51

标签: jsf spring-security hierarchy roles taglib

对于通过http命名空间定义为拦截URL但未在使用JSP Authorize taglib的表达式中定义的Web安全性表达式,将角色Herarchies考虑在内。

我已经阅读了很多内容...... ref1 ref2 ref3 ref4 ref5 ref6

****编辑:**** Ref1和Ref6提到有关过滤器顺序和安全上下文问题的内容在jsp中不可用...(顺便说一句,我使用的是jsf2)也许在那里是需要挖掘的......

编辑2: JSF处理安全标记lib吗?我看了this并尝试that没有成功

编辑3: :我试图通过Maven spring-faces 2.3.2和spring-security-taglibs安装......没有任何反应......有些tuto说创建一个自定义taglib.xml,但它也不起作用,我认为这是旧版本...

我测试了这个facesContext.externalContext.isUserInRole('ROLE')和sec:authorize access =“hasRole('Role')......第一个只有当它是相同的ROLE但它没有考虑层次结构的东西时才有效。 ..和秒:autorize简单地什么都不做,所有角色都打印出来。

请参阅上面的示例,其中一位用户使用ROLE ROLE_ADMIN_PROFILER_NGS: 

    <h:outputText rendered="#{facesContext.externalContext.isUserInRole('ROLE_ADMIN_PROFILER_NGS')}"  value ="ROLE_ADMIN_PROFILER_NGS"></h:outputText> // WORKS <br></br>
<h:outputText rendered="#{facesContext.externalContext.isUserInRole('ROLE_GUEST')}"  value ="ROLE_GUEST"></h:outputText> // SHOULD APPEAR BUT NOTHING HAPPENS<br></br>
<h:outputText rendered="#{facesContext.externalContext.isUserInRole('ROLE_ADMIN')}"  value ="ROLE_ADMIN"> // SHOULD NOT APPEAR AND THAT'S THE CASE</h:outputText><br></br>

/* ALL THE THREE NEXT ARE DISPLAYED WHITHOUT CONTROL AUTORIZATION.*/

<sec:authorize access="hasRole('ROLE_ADMIN_PROFILER_NGS')">ROLE_ADMIN_PROFILER_NGS<br></br></sec:authorize>
<sec:authorize access="hasRole('ROLE_GUEST')">ROLE_GUEST <br></br></sec:authorize>
<sec:authorize access="hasRole('ROLE_ADMIN')">ROLE_ADMIN  <br></br></sec:authorize>

这是我尝试使用角色hierachies来测试的内容:

当一个用户只带有一个角色顾客时......所有的标签都显示出来...它们不会出现,只有GUEST(参见底部的定义)应该出现:

    <sec:authentication property="username" />
    <sec:authorize access="hasRole('ROLE_BABAB')">BABA</sec:authorize>
    <sec:authorize access="hasRole('ROLE_GUEST')">GUEST</sec:authorize>
    <sec:authorize access="hasRole('ROLE_ADMIN')">ADMIN</sec:authorize>

这是我的安全配置: 

   <security:http auto-config="true" access-decision-manager-ref="accessDecisionManager" use-expressions="true" disable-url-rewriting="true">
    <security:intercept-url pattern="/Participant/New/*" access="hasRole('ROLE_ADMIN')" />  
    <security:intercept-url pattern="/Home" access="hasRole('ROLE_GUEST')" />  
    <security:intercept-url pattern="/Login" access="hasRole('ROLE_ANONYMOUS')" />   
     <security:intercept-url pattern="/Login/Error" access="hasRole('ROLE_ANONYMOUS')" />    
    <security:form-login  login-page="/Login"  login-processing-url="/j_spring_security_check"  authentication-failure-url="/Login/Error" default-target-url="/Home" />
    <security:logout logout-url="/j_spring_security_logout" logout-success-url="/Home" delete-cookies="JSESSIONID"  invalidate-session="true"/>
    <security:anonymous/>
     <security:expression-handler ref="defaultWebSecurityExpressionHandler" />
    <security:session-management invalid-session-url="/Login" >
        <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true"  />
    </security:session-management>
   <security:port-mappings>
     <security:port-mapping http="8086" https="8443"/>
    </security:port-mappings>
  </security:http>

<beans:bean id="defaultWebSecurityExpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
      <beans:property name="roleHierarchy" ref="roleHierarchy"/>
</beans:bean>

<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
  <beans:property name="decisionVoters">
    <beans:list>
       <beans:ref bean="roleVoter" />
        <beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
            <beans:property name="expressionHandler" ref="defaultWebSecurityExpressionHandler"/>
        </beans:bean>
       <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>

    </beans:list>
  </beans:property>
</beans:bean>


<beans:bean id="roleVoter" class="org.springframework.security.access.vote.RoleHierarchyVoter">
    <beans:constructor-arg ref="roleHierarchy" />
</beans:bean>

<beans:bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
    <beans:property name="hierarchy">
        <beans:value>
            ROLE_ADMIN > ROLE_ADMIN_PROFILER_NGS
            ROLE_ADMIN_PROFILER_NGS > ROLE_GUEST
            ROLE_GUEST > ROLE_GUEST_PROFILER_NGS  
            ROLE_ADMIN > ROLE_ADMIN_PROFILER_CGH
            ROLE_ADMIN_PROFILER_CGH > ROLE_GUEST
            ROLE_GUEST > ROLE_GUEST_PROFILER_CGH
        </beans:value>
    </beans:property>
 </beans:bean>

非常感谢,如果您有其他想法可以测试,欢迎您...

编辑3:

为什么它为RoleHierarchyVoter返回0,为WebExpressionVoter返回1 ...这是正常的吗?

  

14:48:32,861 DEBUG FilterSecurityInterceptor:194 - 安全对象:FilterInvocation:URL:/ Home;属性:[hasRole('ROLE_GUEST')]   14:48:32,861 DEBUG FilterSecurityInterceptor:310 - 以前经过身份验证:org.springframework.security.authentication.UsernamePasswordAuthenticationToken@43a64f5f:校长:com.clb.genomic.lyon.model.User@d46:用户名:jp;密码保护];启用:true; AccountNonExpired:true; credentialsNonExpired:true; AccountNonLocked:true;授权机构:ROLE_ADMIN_PROFILER_NGS;证书:[保护];认证:真实;详细信息:org.springframework.security.web.authentication.WebAuthenticationDetails@0:RemoteIpAddress:192.168.154.18; SessionId:084939D4E097F41ACA6A1F24CD8390BE;授权机构:ROLE_ADMIN_PROFILER_NGS   14:48:32,861 DEBUG RoleHierarchyImpl:117 - getReachableGrantedAuthorities() - 从角色[ROLE_ADMIN_PROFILER_NGS]可以零步或多步到达[ROLE_GUEST_PROFILER_NGS,ROLE_GUEST_PROFILER_CGH,ROLE_ADMIN_PROFILER_NGS,ROLE_GUEST]。   14:48:32,861 DEBUG AffirmativeBased:65 - 选民:org.springframework.security.access.vote.RoleHierarchyVoter@6ff43d69,返回:0   14:48:32,862 DEBUG RoleHierarchyImpl:117 - getReachableGrantedAuthorities() - 从角色[ROLE_ADMIN_PROFILER_NGS]可以零步或多步到达[ROLE_GUEST_PROFILER_NGS,ROLE_GUEST_PROFILER_CGH,ROLE_ADMIN_PROFILER_NGS,ROLE_GUEST]。   14:48:32,862 DEBUG AffirmativeBased:65 - 选民:org.springframework.security.web.access.expression.WebExpressionVoter@3fe932d5,返回:1   14:48:32,862 DEBUG FilterSecurityInterceptor:215 - 授权成功

编辑5: 

     <beans:bean id="login" class="com.clb.genomic.lyon.beans.LoginBean" scope ="session">
          <beans:property name="authenticationManager" ref="authenticationManager" /> 
     </beans:bean>

>     <security:authentication-manager alias="authenticationManager">
>         <security:authentication-provider user-service-ref="userBo" >
>             <security:password-encoder ref="standardPasswordEncoder"/>   
>         </security:authentication-provider>
>     </security:authentication-manager>

1 个答案:

答案 0 :(得分:1)

将RoleHiearchy设置在所有正确的位置可能非常具有挑战性。 Spring WebFlow目前重新实现了许多功能(即it reimplements the taglibs而不是从Spring Security的基本标记扩展),因此这种方法不太可行。

与JSF无缝协作的另一种方法是创建RoleHierarchyAuthoritiesMapper并将其插入AuthenticationProvider。例如,以下配置应该为您提供所需的层次结构。

<security:http auto-config="true"
               use-expressions="true"
               disable-url-rewriting="true">
    <security:intercept-url pattern="/Participant/New/*"
        access="hasRole('ROLE_ADMIN')" />
    <security:intercept-url pattern="/Home"
        access="hasRole('ROLE_GUEST')" />
    <security:intercept-url pattern="/Login"
        access="hasRole('ROLE_ANONYMOUS')" />
    <security:intercept-url pattern="/Login/Error"
        access="hasRole('ROLE_ANONYMOUS')" />
    <security:form-login login-page="/Login"
        login-processing-url="/j_spring_security_check"
        authentication-failure-url="/Login/Error" default-target-url="/Home" />
    <security:logout logout-url="/j_spring_security_logout"
        logout-success-url="/Home" delete-cookies="JSESSIONID"
        invalidate-session="true" />
    <security:anonymous />

    <security:session-management invalid-session-url="/Login">
        <security:concurrency-control max-sessions="1"
                                      error-if-maximum-exceeded="true" />
    </security:session-management>
    <security:port-mappings>
        <security:port-mapping http="8086" https="8443" />
    </security:port-mappings>
</security:http>


<beans:bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <beans:property name="userDetailsService" ref="userDetailsService"/>
    <beans:property name="authoritiesMapper">
        <beans:bean class="org.springframework.security.access.hierarchicalroles.RoleHierarchyAuthoritiesMapper">
            <beans:constructor-arg ref="roleHierarchy"/>
        </beans:bean>
    </beans:property>
    <beans:property name="passwordEncoder">
        <beans:bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"/>
    </beans:property>
</beans:bean>
<beans:bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
    <beans:property name="hierarchy">
        <beans:value>
            ROLE_ADMIN > ROLE_ADMIN_PROFILER_NGS
            ROLE_ADMIN_PROFILER_NGS > ROLE_GUEST
            ROLE_GUEST > ROLE_GUEST_PROFILER_NGS
            ROLE_ADMIN > ROLE_ADMIN_PROFILER_CGH
            ROLE_ADMIN_PROFILER_CGH > ROLE_GUEST
            ROLE_GUEST > ROLE_GUEST_PROFILER_CGH
        </beans:value>
    </beans:property>
 </beans:bean>

<security:user-service id="userDetailsService">
    <security:user name="joe" password="bf403351dfb2ae819874163aff25a49c"
        authorities="ROLE_ADMIN" />
    <security:user name="pete" password="5d2ea1f70185e4357183bb9c00187219"
        authorities="ROLE_ADMIN_PROFILER_CGH" />
</security:user-service>

另外一些亮点是我们更需要以下bean:

  • 的AccessDecisionManager
  • defaultWebSecurityExpressionHandler
  • 的RoleVoter
相关问题
最新问题