我的应用程序是嵌入式jetty与spring security集成,用于身份验证和授权。身份验证和授权适用于对应用程序的REST api调用,但使用@PreAuthorize的方法授权不起作用。
我的spring-security.xml文件有<global-method-security pre-post-annotations="enabled" />
经过一些搜索后,我发现建议在应用程序上下文中将global-method-security移动到servlet-context.xml,但我不能这样做,因为我们没有使用“org.springframework.web.servlet.DispatcherServlet”。我们已经使用“org.glassfish.jersey.servlet.ServletContainer”作为调度员。
弹簧security.xml文件
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:c="http://www.springframework.org/schema/c"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<global-method-security pre-post-annotations="enabled" />
<http realm="Protected API" use-expressions="true"
create-session="stateless"
entry-point-ref="unauthorizedEntryPoint"
authentication-manager-ref="edbAuthenticationManager">
<custom-filter ref="edbAuthenticationFilter" position="FORM_LOGIN_FILTER"/>
<intercept-url pattern="/api/*/login" access="authenticated"/>
<intercept-url pattern="/api/*/clusters/*/datasupport/**" access="hasRole('data-scientist')"/>
<intercept-url pattern="/api/*/clusters/*/job/**" access="hasRole('data-scientist')"/>
<intercept-url pattern="/api/*/clusters/*/task/**" access="hasRole('data-scientist')"/>
<intercept-url pattern="/api/*/clusters/**" access="hasRole('cluster-admin')"/>
<http-basic />
</http>
<beans:bean id="unauthorizedEntryPoint" class="edbServer.server.security.EntryPoint"/>
<beans:bean id="userDetailService" class="edbServer.server.security.UserDetailsServiceImp"/>
<beans:bean name="bcryptEncoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<authentication-manager id="edbAuthenticationManager">
<authentication-provider user-service-ref="userDetailService">
<password-encoder ref="bcryptEncoder"/>
</authentication-provider>
</authentication-manager>
<beans:bean id="tokenManager" class="edbServer.server.security.TokenManager"/>
<beans:bean id="authenticationService" class="edbServer.server.security.EDBAuthenticationService"
c:authenticationManager-ref="edbAuthenticationManager" c:tokenManager-ref="tokenManager" c:inactivityTimeoutSeconds="1800" />
<beans:bean id="edbAuthenticationFilter" class="edbServer.server.security.EDBTokenAuthenticationFilter"
c:authenticationService-ref="authenticationService" c:loginLink="/api/v1/login" c:logoutLink="/api/v1/logout"/>
</beans:beans>
初始化jetty服务器的相关代码
String SPRING_CONTEXT_LOCATION = "classpath:/webapp/WEB-INF/spring-security.xml";
ClassPathXmlApplicationContext parentSpringAppContext = new ClassPathXmlApplicationContext(contextLocations);
parentSpringAppContext.refresh();
ClassPathXmlApplicationContext springAppContext = new ClassPathXmlApplicationContext(
parentSpringAppContext);
springAppContext.refresh();
ServletContextHandler contextHandler = new ServletContextHandler(ServletContextHandler.SECURITY
| ServletContextHandler.SESSIONS);
contextHandler.setContextPath(CONTEXT_PATH);
GenericWebApplicationContext springWebAppContext = new GenericWebApplicationContext();
springWebAppContext.setServletContext(contextHandler.getServletContext());
springWebAppContext.setParent(springAppContext);
contextHandler.getServletContext().setAttribute(WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE,
springWebAppContext);
DelegatingFilterProxy springSecurityFilter = new DelegatingFilterProxy();
springSecurityFilter.setTargetBeanName("springSecurityFilterChain");
contextHandler.addFilter(new FilterHolder(springSecurityFilter), "/api/*", EnumSet.of(DispatcherType.REQUEST));
ServletHolder sh = new ServletHolder(ServletContainer.class);
sh.setInitParameter("org.glassfish.jersey.server.ResourceConfig", "JacksonFeature.class");
sh.setInitParameter("jersey.config.server.provider.packages", "edbServer.server.api.services;");
sh.setInitParameter("com.sun.jersey.api.json.POJOMappingFeature", "true");
contextHandler.addServlet(sh, "/api/v1/*");
HandlerList handlerList = new HandlerList();
handlerList.addHandler(contextHandler);
server.setHandler(handlerList);
springAppContext.start();
server.start();
如何在app环境中设置global-method-security?
谢谢, SAURABH