我们关注最新版本的Spring。我正在开发的项目本质上是一个博客经理(这是一个编码训练营顶级项目),对于我们的生活,我们无法弄清楚Spring Security中发生了什么。登录似乎工作正常,Spring会锁定我们从常规用户和管理员用户指定的端点。但是,Spring安全标签似乎不能在我们的JSP中运行。 authorize标记始终隐藏内容,无论登录的是谁,当然,如果管理员已登录,我们也希望显示它。相关的JSP代码:
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags"%>
<sec:authorize access="hasRole('ROLE_ADMIN')">
<!-- stuff to hide -->
</sec:authorize>
这是我们的spring-security.xml文件:
<!-- #1 - Make security the default namespace -->
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- #2 - Make sure we don’t need authorization to get to the login or home page -->
<http pattern="/home" security="none"/>
<http pattern="/" security="none"/>
<http pattern="/img/**" security="none"/>
<http pattern="/css/**" security="none"/>
<http pattern="/login" security="none"/>
<http pattern="/contact" security="none"/>
<http pattern="/posts/**" security="none"/>
<http pattern="/post/**" security="none"/>
<http pattern="/pages/**" security="none"/>
<http pattern="/comments/**" security="none"/>
<http pattern="/js/**" security="none"/>
<!-- #3 - Authentication/login form and protected endpoint configuration -->
<http auto-config="true" use-expressions="false">
<!-- #3a - Login via html form, use Spring to do the security check -->
<!-- #3b - Use the login page at this endpoint -->
<!-- #3c - Redirect here if login fails -->
<form-login login-processing-url="/j_spring_security_check"
login-page="/login"
authentication-failure-url="/login?login_error=1"/>
<!-- #3d - Go back to home page when user logs out -->
<logout logout-success-url="/home" />
<!-- #3e - Access to these endpoints require admin role -->
<!--new try NO! -->
<intercept-url pattern="/admin" access="ROLE_ADMIN" />
<intercept-url pattern="/addPost" access="ROLE_ADMIN" />
<intercept-url pattern="/addPage" access="ROLE_ADMIN" />
<intercept-url pattern="/comment/**" access="ROLE_ADMIN" />
<!--<intercept-url pattern="/post" access="ROLE_ADMIN" />-->
<intercept-url pattern="/editPost/**" access="ROLE_ADMIN" />
<!-- #3f - Access to all other controller endpoints require user role -->
<intercept-url pattern="/**" access="ROLE_USER" />
</http>
<!-- #4 - Authentication Manager config -->
<authentication-manager>
<!-- #4a - Authentication Provider - we’re using the JDBC service -->
<authentication-provider>
<!-- #4b - Tells Spring Security where to look for user information -->
<!-- We use the dataSource defined in spring-persistence.xml -->
<!-- and we give Spring Security the query to use to lookup -->
<!-- the user’s credentials (get the password from the users -->
<!-- tables and get the roles from the authorities table) -->
<jdbc-user-service id="userService"
data-source-ref="dataSource"
users-by-username-query=
"select username, password, enabled from users where username=?"
authorities-by-username-query=
"select username, authority from authorities where username=?" />
</authentication-provider>
</authentication-manager>
</beans:beans>
最后来自web.xml文件的过滤器:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<!-- #1a - Intercept ALL requests to this application -->
<url-pattern>/*</url-pattern>
</filter-mapping>
在搜索时,似乎很多问题都是由web.xml中的过滤订单引起的,尤其是site-mesh,但我们没有使用site-mesh,我们不会没有任何其他过滤器。我们还尝试将JSP标记更改为<sec:authorize access="permitAll()">,它仍然会隐藏元素,无论它是什么元素,谁登录,或者我们放入了什么JSP。我们中的2个花了5个小时这一点,我们现在完全失去了想法。
编辑:
问题最终出现在security="none"顶部的http模式中的spring-security.xml。据我所知,它可以防止任何Spring安全过滤器在指定的url模式上正常工作。我们通过在intercept-url s上添加我们需要安全功能的模式来修复它。
实施例:
<http pattern="/home" security="none"/>
将其移至其他拦截网址并更改为:
<url-intercept pattern="/home" access="permitAll">