我正在尝试将Spring应用程序配置为具有Spring安全性的基本安全系统。 我希望在没有安全过滤器的情况下提供资源,要过滤的标准页面检查用户是否具有“User”角色和/ admin / pages,以检查角色是否为“Admin”。
我拥有的是:
springSecurityFilterChain org.springframework.web.filter.DelegatingFilterProxy
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
在web.xml中,而spring-security.xml是:
<security:http security="none" pattern="/resources/**"/>
<security:http auto-config="true" use-expressions="true" >
<security:intercept-url pattern="/admin/**" access="hasRole('Admin')" />
<security:logout logout-success-url="/welcome" logout-url="/logout" />
<security:form-login login-page="/FormLogin"
default-target-url="/welcome"
username-parameter="username"
password-parameter="hashPwd"
authentication-failure-url="/login?error"
/>
</security:http>
<security:authentication-manager>
<security:authentication-provider user-service-ref="controlloUtente">
<security:password-encoder hash="bcrypt" />
</security:authentication-provider>
</security:authentication-manager>
<beans:bean id="controlloUtente"
class="org.fabrizio.fantacalcio.utility.SpringSecurityServiceImpl">
</beans:bean>
然后我配置了这个类:
package org.fabrizio.fantacalcio.utility;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import org.fabrizio.fantacalcio.model.beans.Utente;
import org.fabrizio.fantacalcio.model.dao.UtenteDaoImpl;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
@Service
@Transactional
public class SpringSecurityServiceImpl implements UserDetailsService{
@Autowired
private UtenteDaoImpl utenteDao;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
Utente utente = utenteDao.getUtenteByUsername(username);
if(utente == null){
throw new UsernameNotFoundException("L'utente inserito non è stato trovato");
}
return convertUtente(utente);
}
private UserDetails convertUtente(Utente utente) {
UserDetails ud = new User(utente.getUsername(), utente.getHashPwd(), true, true, true, true, getRoles(utente));
return ud;
}
private Collection<? extends GrantedAuthority> getRoles(Utente utente) {
GrantedAuthority auth = new SimpleGrantedAuthority(utente.getRuolo().getNome());
List<GrantedAuthority> listaAuth = new ArrayList<GrantedAuthority>();
listaAuth.add(auth);
return listaAuth;
}
}
和以下一个:
package org.fabrizio.fantacalcio.utility;
import org.springframework.beans.BeansException;
import org.springframework.beans.factory.config.BeanPostProcessor;
import org.springframework.core.PriorityOrdered;
import org.springframework.security.access.annotation.Jsr250MethodSecurityMetadataSource;
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
import org.springframework.stereotype.Component;
@Component
public class DefaultRolesPrefixPostProcessor implements BeanPostProcessor, PriorityOrdered {
@Override
public Object postProcessAfterInitialization(Object bean, String beanName)
throws BeansException {
if(bean instanceof Jsr250MethodSecurityMetadataSource) {
((Jsr250MethodSecurityMetadataSource) bean).setDefaultRolePrefix("");
}
if(bean instanceof DefaultMethodSecurityExpressionHandler) {
((DefaultMethodSecurityExpressionHandler) bean).setDefaultRolePrefix("");
}
// if(bean instanceof DefaultWebSecurityExpressionHandler) {
// ((DefaultWebSecurityExpressionHandler) bean).setDefaultRolePrefix("");
// }
return bean;
}
@Override
public Object postProcessBeforeInitialization(Object bean, String beanName)
throws BeansException {
return bean;
}
@Override
public int getOrder() {
return PriorityOrdered.HIGHEST_PRECEDENCE;
}
}
但没有任何作用。 我的formLogin不使用弹簧形式,而是使用经典形式。
当我登录并尝试获得像/admin/testpage这样的pge时,即使我有管理员角色,我也会被重定向到FormLogin页面,这是调试输出:
22/06/2015 10:03:04 - DEBUG - (AntPathRequestMatcher.java:141) - Request '/admin/formregistrazione' matched by universal pattern '/**'
22/06/2015 10:03:04 - DEBUG - (HttpSessionRequestCache.java:43) - DefaultSavedRequest added to Session: DefaultSavedRequest[http://localhost:8080/Fantacalcio/admin/FormRegistrazione]
22/06/2015 10:03:04 - DEBUG - (ExceptionTranslationFilter.java:202) - Calling Authentication entry point.
22/06/2015 10:03:04 - DEBUG - (DefaultRedirectStrategy.java:39) - Redirecting to 'http://localhost:8080/Fantacalcio/FormLogin'
22/06/2015 10:03:04 - DEBUG - (HttpSessionSecurityContextRepository.java:337) - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
有时,登录后,我收到此消息:
HTTP Status 403 - Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.
我做错了什么?我总是必须使用令牌?为什么流程永远不会进入SpringSecurityServiceImpl类?
由于
编辑:我已停用csrf,现在已经很清楚了。问题出在我的SpringSecurityServiceImpl Autowired utenteDao实例为空。我像这样编辑了spring-security.xml文件,希望Spring理解@Service带注释的类,但是它不起作用:
<security:authentication-manager>
<security:authentication-provider user-service-ref="SpringSecurityServiceImpl">
<security:password-encoder hash="bcrypt" />
</security:authentication-provider>
</security:authentication-manager>
我的UtenteDao班
package org.fabrizio.fantacalcio.model.dao;
import java.util.List;
import org.fabrizio.fantacalcio.model.beans.Utente;
import org.hibernate.criterion.Restrictions;
import org.springframework.stereotype.Repository;
@Repository
public class UtenteDaoImpl extends BaseDaoImpl<Utente> implements UtenteDao{
public UtenteDaoImpl() {
System.out.println("test");
}
@SuppressWarnings("unchecked")
public List<Utente> trovaUtentiAttivi(){
return getSession().createCriteria(Utente.class).add(Restrictions.eq("attivo", true)).list();
}
@SuppressWarnings("unchecked")
public Utente getUtenteFromCredenziali(Utente utente){
List<Utente> utenteTrovato = getSession().createCriteria(Utente.class)
.add(Restrictions.eq("username", utente.getUsername()))
.add(Restrictions.eq("hashPwd", utente.getHashPwd()))
.list();
Utente utenteLoggato = utenteTrovato.size() == 0 ? null : utenteTrovato.get(0);
return utenteLoggato;
}
public Boolean usernameExists(String username){
return getSession().createCriteria(Utente.class)
.add(Restrictions.eq("username", username))
.list().size() > 0;
}
@SuppressWarnings("unchecked")
public Utente getUtenteByUsername(String username){
List<Utente> utenteTrovato = getSession().createCriteria(Utente.class)
.add(Restrictions.eq("username", username))
.list();
Utente utenteLoggato = utenteTrovato.size() == 0 ? null : utenteTrovato.get(0);
return utenteLoggato;
}
}
答案 0 :(得分:0)
Spring安全登录和注销表单期望在post请求中发送CSRF令牌。您可以使用隐藏变量添加令牌:
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
在spring security登录表单中添加以上行。注销也需要是post请求方法。每个发送到服务器的请求都将检查这些令牌,您可以将其设置为请求标头。如果您不想这样做并禁用csrf令牌安全性。
您可以使用安全配置的http部分中的csrf标记禁用它。 csrf具有禁用它的属性。
<http>
<csrf />
</http>
阅读this article了解详情。
编辑:
您在安全认证标记中提到了user-service-ref="SpringSecurityServiceImpl",但Service类没有标识符。为您的服务类提供一个标识符,更喜欢驼峰字符。
@Service("springSecurityServiceImpl") // talking about this identifier
@Transactional
public class SpringSecurityServiceImpl implements UserDetailsService {}
身份验证提供程序bean应该是:
<security:authentication-manager>
<security:authentication-provider user-service-ref="springSecurityServiceImpl">
<security:password-encoder hash="bcrypt" />
</security:authentication-provider>
</security:authentication-manager>
并检查您的DAO类是否标记为@Repository组件,以便autowire完美运行。
答案 1 :(得分:0)
我解决了这个问题。
搜索我发现安全性和servlet有不同的上下文,所以基本上我不得不在<context:component-scan base-package="org.fabrizio.fantacalcio.utility, org.fabrizio.fantacalcio.model.dao" />
文件上添加security-config.xml,声明只扫描包以使安全性工作,因为它没有& #39; t共享调度程序配置文件中声明的bean。