我正在尝试使用基于hippo cms插件的spring security。我创建了内部河马3子站点,每个子站点都有登录。我应该如何配置spring-security-context.xml以支持多个子网站?所有子网站都将使用相同的身份验证提供程序。直到现在我已配置其中一个子网站。
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:lang="http://www.springframework.org/schema/lang"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:aop="http://www.springframework.org/schema/aop"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/lang http://www.springframework.org/schema/beans/spring-lang-3.1.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- HTTP Security Configuration -->
<!-- HTTP Security Configuration -->
<http auto-config="true">
<intercept-url pattern="/css/**" />
<intercept-url pattern="/images/**" />
<intercept-url pattern="/binaries/**" />
<intercept-url pattern="/vop/**" access="IS_AUTHENTICATED_ANONYMOUSLY, ROLE_everybody" />
<form-login login-page="/vop"
default-target-url="/vop/vop-mysurvey-page"
always-use-default-target="true" />
<logout logout-url="/logout.jsp" logout-success-url="/vop"/>
</http>
<!--
Authentication Manager configuration with Hippo Repository based Authentication Provider configuration ('hippoAuthenticationProvider').
However, you can use any other authentication provider(s) if you don't need to authenticate users against Hippo Repository.
-->
<authentication-manager>
<authentication-provider ref="hippoAuthenticationProvider"/>
</authentication-manager>
<!--
Hippo Repository based Authentication Provider. This Authentication Provider provide authentication against Hippo Repository Security Store.
If you don't need to authenticate users against Hippo Repository, you don't have to include the following bean.
-->
<beans:bean id="hippoAuthenticationProvider"
class="org.onehippo.forge.security.support.springsecurity.authentication.HippoAuthenticationProvider">
</beans:bean>
例如,我想要<http auto-config="true">
<intercept-url pattern="/css/**" />
<intercept-url pattern="/images/**" />
<intercept-url pattern="/binaries/**" />
<intercept-url pattern="/erop/**" access="IS_AUTHENTICATED_ANONYMOUSLY, ROLE_everybody" />
<form-login login-page="/erop"
default-target-url="/erop/mypage"
always-use-default-target="true" />
<logout logout-url="/logout.jsp" logout-success-url="/erop"/>
</http>
任何想法?
答案 0 :(得分:1)
据我所知,spring安全框架基于servlet过滤器,其配置似乎与Web应用程序上下文相关联。因此,我认为您目前不能在单个Web应用程序上下文中托管多个Spring安全上下文。
答案 1 :(得分:0)
Spring安全支持保护多个子网站。配置取决于您的子网站,无论它们是否使用单独的主机名。
当您的子网站在相同的主机名下运行时,您可以像这样配置它:
<http pattern="/vop/**" ... >
...
</http>
<http pattern="/erop/**" ... >
...
</http>
但是,如果您的子网站运行在不同的主机名上,则可能是网址模式重叠。在这种情况下,您需要按主机名进行过滤,例如:
<bean id="vopMatcher" class="org.springframework.security.web.util.ELRequestMatcher">
<constructor-arg value="hasHeader('host','vop.com')"/>
</bean>
<bean id="eropMatcher" class="org.springframework.security.web.util.ELRequestMatcher">
<constructor-arg value="hasHeader('host','erop.com')"/>
</bean>
<http request-matcher-ref ="vopMatcher" ... >
...
</http>
<http request-matcher-ref ="eropMatcher" ... >
...
</http>