我有一个基本的REST服务,它公开了基于Spring MVC和@RestController机制的各种API。现在我正在尝试为Spring安全性添加一个拦截器,以便在访问任何其他请求之前要求登录(通过特定的REST请求)。我们的想法是拦截器检查请求的活动会话,如果找不到活动登录,则将其指向登录服务。如果找到活动登录,则拦截器会将请求传递到正确的URL。 我一直在玩XML文件,但我不断得到的是重定向循环。 :(值得注意的是,我根本没有与此服务器关联的视图。访问是通过我无法访问的GUI的http请求完成的。
到目前为止,这是我的配置: web.xml中:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<!-- The definition of the Root Spring Container shared by all Servlets and Filters -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/root-context.xml, /WEB-INF/spring/application-security.xml</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/aisrv/*</url-pattern>
</filter-mapping>
<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- Processes application requests -->
<servlet>
<servlet-name>aisrvServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/aisrvServlet/servlet-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>aisrvServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
</web-app>
Servlet的context.xml中
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
<!-- DispatcherServlet Context: defines this servlet's request-processing infrastructure -->
<!-- Enables the Spring MVC @Controller programming model -->
<annotation-driven />
<!-- Handles HTTP GET requests for /resources/** by efficiently serving up static resources in the ${webappRoot}/resources directory -->
<resources mapping="/resources/**" location="/resources/" />
<!-- Resolves views selected for rendering by @Controllers to .jsp resources in the /WEB-INF/views directory -->
<beans:bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<beans:property name="prefix" value="/WEB-INF/views/" />
<beans:property name="suffix" value=".jsp" />
</beans:bean>
<context:component-scan base-package="com.bmc.ai.server" />
<!--- Specific beans for my server -->
</beans:beans>
应用security.xml文件:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<http pattern="/resources/**" security="none" />
<http auto-config="true" use-expressions="true">
<!-- <intercept-url pattern="/login" access="ROLE_ADMIN" /> -->
<!-- <intercept-url pattern="/logout" access="permitAll" />
<intercept-url pattern="/accessdenied" access="permitAll" /> -->
<intercept-url pattern="/**" access="ROLE_USER" requires-channel="https"/>
<!-- <http-basic /> -->
<form-login default-target-url="/test" />
<!-- <logout logout-success-url="/logout" /> -->
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="user" password="123" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
我确信这是非常基本且容易修复的东西,但我似乎无法找到我的手和腿。任何帮助将不胜感激。
============ EDIT ======================= 按照Varun的例子,我修改了我的application-security.xml,如下所示:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<http pattern="/resources/**" security="none" />
<http auto-config="true" use-expressions="true">
<!-- other filters -->
<custom-filter ref="myCustomFilter" before="SESSION_MANAGEMENT_FILTER" />
<intercept-url pattern="/**" access="ROLE_USER" requires-channel="https"/>
</http>
<beans:bean id="myCustomFilter" class="com.company.server.impl.security.RestFilter">
</beans:bean>
<!-- <http auto-config="true" use-expressions="true">
<intercept-url pattern="/login" access="ROLE_ADMIN" />
<intercept-url pattern="/logout" access="permitAll" />
<intercept-url pattern="/accessdenied" access="permitAll" />
<intercept-url pattern="/**" access="ROLE_USER" requires-channel="https"/>
<http-basic />
<form-login default-target-url="/test" />
<logout logout-success-url="/logout" />
</http>-->
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="user" password="123" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
并添加了以下RestFiletClass:
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.springframework.web.filter.GenericFilterBean;
import com.company.server.controller.ExcpetionHandling.GenericErrorExeception;
import com.company.server.interfaces.comm.ICorbaClient;
public class RestFilter extends GenericFilterBean {
@Override
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain) throws IOException, ServletException {
HttpServletResponse response = ((HttpServletResponse) res);
HttpServletRequest request = ((HttpServletRequest) req);
ICorbaClient corba = (ICorbaClient)request.getSession().getAttribute("corba");
if(corba.getSuccessfulLogin()){
System.out.println("Authorized through filter");
chain.doFilter(req, res);
}else{
throw new GenericErrorExeception("User unauthorized", null, HttpServletResponse.SC_UNAUTHORIZED);
}
}
}
但是,Spring似乎完全跳过了过滤器。我需要在某处添加它还是用它做更多的事情?
答案 0 :(得分:2)
您需要在spring security xml中添加自定义过滤器。在下面的示例中,已经修改了预构建的过滤器,但您可以将类检出作为参考来构建自己的过滤器。
<http use-expressions="true">
<!-- other filters -->
<custom-filter ref="myCustomFilter" before="SESSION_MANAGEMENT_FILTER" />
</http>
<beans:bean id="myCustomFilter" class="com.mycompany.RestFilter">
</beans:bean>
public class RestFilter extends GenericFilterBean {
// @Override of Filter.doFilter() method
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
// Implement
}
}
Spring安全性会在预定义的SESSION_MANAGEMENT_FILTER之前自动调用此过滤器并运行您的代码。