使用Spring Security XML配置的HTTP Basic不使用HttpBasicConfigurer

时间:2015-05-18 13:36:11

标签: java spring-security

对于HTTP Basic配置,似乎XML配置和Java在Spring Security中没有执行相同的任务。

使用以下Java配置时:

protected void configure(HttpSecurity http) throws Exception {
  http
    .httpBasic()
  .and()
    .authorizeRequests()
      .anyRequest().authenticated();
}

当请求HTTP标头HttpBasicConfigurerX-Requested-With时,使用XMLHttpRequest来使用不同的EntryPoint。

使用配置时

<s:http use-expressions="true" create-session="ifRequired">
     <s:intercept-url pattern='/**' access='isAuthenticated()' />
     <s:http-basic />
<s:http />

未使用HTTPBassicConfigurer

有人知道如何使用XML配置添加它吗?

3 个答案:

答案 0 :(得分:3)

基于本文中人们提供的评论的最终解决方案是,不能将HTTPBasicConfigurer与XML配置一起使用。但是还有其他方法可以执行HTTPBasicConfigurer中现在实现的几乎相同的操作。我使用的最终解决方案主要基于Lea提供的评论:

<s:http use-expressions="true" create-session="ifRequired" >
    <s:intercept-url pattern='/**' access='isAuthenticated()' />
    <s:http-basic entry-point-ref="entryPoint" /> 
</s:http>

<bean id="entryPoint"
      class="org.springframework.security.web.authentication
                                .DelegatingAuthenticationEntryPoint">
    <constructor-arg>
        <map>
            <entry key="hasHeader('X-Requested-With','XMLHttpRequest')" 
                   value-ref="ajaxEntyPoint" />
        </map>
    </constructor-arg>
    <property name="defaultEntryPoint" ref="defaultEntryPoint"/>        
</bean>

<bean id="ajaxEntyPoint" 
      class="org.springframework.security.web.authentication.HttpStatusEntryPoint">
    <constructor-arg name="httpStatus" 
                     value="#{T(org.springframework.http.HttpStatus).UNAUTHORIZED}"/>
</bean>

<bean id="defaultEntryPoint"
      class="org.springframework.security.web.authentication.www
                                             .BasicAuthenticationEntryPoint">
    <property name="realmName" value="My webservices"/>
</bean>

答案 1 :(得分:1)

可以使用基本身份验证过滤器显式声明基本身份验证参数:

<security:http use-expressions="true" entry-point-ref="entryPoint" authentication-manager-ref="authManager">
        <security:custom-filter ref="advancedBasicFilter" position="BASIC_AUTH_FILTER"/>
        <security:intercept-url pattern="/info/**" access="permitAll" />
        <security:intercept-url pattern="/**" access="isAuthenticated()"/>
</security:http>

<bean id="advancedBasicFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
    <constructor-arg name="authenticationEntryPoint" ref="entryPoint"/>
    <constructor-arg name="authenticationManager" ref="authManager"/>
</bean>

<bean id="entryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
    <property name="realmName" value="My Realm"/>
</bean>

<security:authentication-manager id="authManager">
    <security:authentication-provider user-service-ref="myOwnUserService" />
</security:authentication-manager>

答案 2 :(得分:1)

如果您使用带命名空间的xml配置,则不要使用HTTPBasicConfigurer,而应使用<http-basic>标记的属性。

Spring Security参考手册中的摘录附录关于<http-basic>标记的安全命名空间:

属性

  • authentication-details-source-ref:对身份验证过滤器将使用的AuthenticationDetailsSource的引用

  • entry-point-ref设置BasicAuthenticationFilter使用的AuthenticationEntryPoint