Question

我是Spring Security的新手，所以我可能会错过一些东西。我有一个Spring应用程序，它使用我希望使用Spring Security保护的WebApplication启动Jetty。 webapp正在运行且可访问，但不受限制。我已经尝试了很多东西，但没有任何工作，所以我把它分解成一个最小的设置，但仍然没有机会。 webapp由以下java配置配置：

@EnableWebMvc
@Configuration
@Import(SecurityConfiguration.class)
@ComponentScan(useDefaultFilters = false, basePackages = { "myapp.web" }, includeFilters = { @ComponentScan.Filter(Controller.class) })
public class SpringMvcConfiguration extends WebMvcConfigurerAdapter {
    /**
     * Allow the default servlet to serve static files from the webapp root.
     */
    @Override
    public void configureDefaultServletHandling(DefaultServletHandlerConfigurer configurer) {
        configurer.enable();
    }
}

和Spring Security配置在这里：

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
        .inMemoryAuthentication()
        .withUser("user")
        .password("password")
        .roles("ADMIN")
        .authorities("ADMIN");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .authorizeRequests()
        .anyRequest()
        .hasAuthority("ADMIN");
    }
}

和一些像这样的控制器：

@Controller
public class SecuredController {

    @RequestMapping(value = "/secure", method = RequestMethod.GET)
    @ResponseBody
    public String secured() {
        return "you should not see this unless you provide authentication";
    }
}

一切都正常启动，日志告诉我，控制器已映射...

    [2014-10-01 20:21:29,538, INFO ] [main] mvc.method.annotation.RequestMappingHandlerMapping:197 - Mapped "{[/secure],methods=[GET],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String myapp.web.SecuredController.secured()

......而且安全性也已到位......

    [2014-10-01 20:21:30,298, INFO ] [main] gframework.security.web.DefaultSecurityFilterChain:28 - Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@352c308, org.springframework.security.web.context.SecurityContextPersistenceFilter@2af616d3, org.springframework.security.web.header.HeaderWriterFilter@1a2e2935, org.springframework.security.web.csrf.CsrfFilter@64f857e7, org.springframework.security.web.authentication.logout.LogoutFilter@bc57b40, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@3deb2326, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@7889a1ac, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@7d373bcf, org.springframework.security.web.session.SessionManagementFilter@5922ae77, org.springframework.security.web.access.ExceptionTranslationFilter@7e1a1da6, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@1051817b]

...但我的控制器的/secure网址是无条件可达的。我做错了什么？

PS。我想避免使用xml config

Answer 1

为了将Spring Security与Spring MVC集成，您必须在@EnableWebMvcSecurity类中使用@EnableWebSecurity注释而不是SecurityConfiguration。

Answer 2

我想，我必须将Spring Security配置的初始化移动到根上下文，而不是dispatcher-servlet上下文，并添加以下行来配置我的嵌入式Jetty的上下文：

    context.addFilter(new FilterHolder(new DelegatingFilterProxy("springSecurityFilterChain")), "/*", EnumSet.allOf(DispatcherType.class));

无法让Spring Security工作

2 个答案: