为什么配置的servlet路径被REST控制器正确使用,但在Spring Security功能中被忽略了?

时间:2015-10-02 08:10:42

标签: spring-security spring-boot spring-web

我是Spring的新手,我尝试使用Spring Boot和Spring Security创建一个安全的休息应用程序。我现在正在寻找解决方案......

我在我的pom中使用Spring Boots嵌入式Web容器(Tomcat)和spring-boot-starter-parent 1.2.6.RELEASE。

我的终点:

  • /login(进行身份验证)
  • /application/{id}(我想要保护的某些服务)

我在我的application.properties中配置了我的servlet路径,如下所示:

server.servletPath: /embedded

所以我希望我的服务,例如在//localhost/embedded/login

好吧现在问题是:如果我在没有安全性的情况下运行应用程序一切都很好,我可以调用http // localhost / embedded / application并得到答案。 如果我现在添加我的安全配置:

import javax.servlet.ServletContext;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.scheduling.annotation.EnableScheduling;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

@Configuration
@EnableWebMvcSecurity
@EnableScheduling
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private TokenAuthenticationService tokenAuthenticationService;

    @Value("${server.servletPath}")
    private String servletPath;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
         http.authorizeRequests().antMatchers("/hello/**", "/login").permitAll()
            .antMatchers("/application/**").authenticated().and()
            .addFilterBefore(new TokenAuthenticationFilter(tokenAuthenticationService), UsernamePasswordAuthenticationFilter.class);  
            http.csrf().disable()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
                .httpBasic().disable();
    }

}

运行应用程序时// localhost / application / {id}是安全的,而不是 // localhost / embedded / application / {id}正如我所料。 由于某种原因,servlet路径在那里被忽略。我试着好了,所以我只是手动添加servlet路径"并使它看起来像这样:

...antMatchers(servletPath+"/application/**").authenticated()...

这适用于我的应用程序。但是我也使用MockMvc来测试我的服务,并且出于某种原因将servlet路径正确地添加到匹配器。因此,如果我开始测试,安全过滤器将映射到//localhost/embedded/embedded/application/{id},而控制器本身仍然映射到//localhost/embedded/application/{id},这非常烦人...... 我在这里看了http://spring.io/blog/2013/07/03/spring-security-java-config-preview-web-security/并认为我可以使用AbstractSecurityWebApplicationInitializer代替SpringBootServletInitializer来解决问题,但它没有改变任何内容。 顺便说一句,这是我的应用程序类:

com.sebn.gsd.springservertemplate.service.security.WebSecurityConfig;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.boot.builder.SpringApplicationBuilder;
import org.springframework.boot.context.web.SpringBootServletInitializer;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;

@Configuration
@ComponentScan
@EnableAutoConfiguration
public class Application extends SpringBootServletInitializer {

    public static void main(String[] args) {
        System.out.println("Run from main");
        SpringApplication.run(applicationClass, args);
    }

    @Override
    protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
        return application.sources(applicationClass, WebSecurityConfig.class);
    }

    private static Class<Application> applicationClass = Application.class;

}

我认为application.properties不包含任何更有趣的信息。要完成这是我的MockMvc测试类:

import com.fasterxml.jackson.databind.ObjectMapper;
import com.sebn.gsd.springservertemplate.service.api.LoginData;
import com.sebn.gsd.springservertemplate.service.security.Session_model;
import com.sebn.gsd.springservertemplate.service.security.WebSecurityConfig;
import java.util.Arrays;
import org.hamcrest.Matchers;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.test.context.web.WebAppConfiguration;
import org.springframework.boot.test.SpringApplicationConfiguration;
import org.springframework.test.context.ActiveProfiles;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.MockMvc;
import static org.hamcrest.Matchers.notNullValue;
import org.junit.Assert;
import org.junit.Before;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.MediaType;
import org.springframework.http.converter.HttpMessageConverter;
import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.test.web.servlet.ResultActions;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
import org.springframework.test.web.servlet.result.MockMvcResultHandlers;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
import static org.springframework.test.web.servlet.setup.MockMvcBuilders.webAppContextSetup;
import org.springframework.web.context.WebApplicationContext;

@RunWith(SpringJUnit4ClassRunner.class)
@SpringApplicationConfiguration(classes = {Application.class, WebSecurityConfig.class })
@WebAppConfiguration
@ActiveProfiles(profiles = "development")
public class SecurityTests {

    private MockMvc mockMvc;

    @Autowired
    private WebApplicationContext webApplicationContext;

    private HttpMessageConverter mappingJackson2HttpMessageConverter;
    private ObjectMapper o = new ObjectMapper();

    @Autowired
    private FilterChainProxy filterChainProxy;

    @Value("${server.servletPath}")
    private String servletPath;

    @Before
    public void setup() throws Exception {
        this.mockMvc = webAppContextSetup(webApplicationContext).addFilter(filterChainProxy).build();
    }

    @Test
    public void testLoginSecurity() throws Exception {
        int applicationId = 1;
        // Try to access secured api
        ResultActions actions = mockMvc.perform(get("/application/" + applicationId))
                .andDo(MockMvcResultHandlers.print())
                .andExpect(status().isForbidden());
        //login
        String username = "user";
        LoginData loginData = new LoginData();
        loginData.setPasswordBase64("23j4235jk26=");
        loginData.setUsername(username);
        actions = mockMvc.perform(post("/login").content(o.writeValueAsString(loginData)).contentType(MediaType.APPLICATION_JSON_VALUE))
                .andDo(MockMvcResultHandlers.print())
                .andExpect(status().isOk())
                .andExpect(content().contentType(MediaType.APPLICATION_JSON))
                .andExpect(jsonPath("$.login", Matchers.equalTo(username)))
                .andExpect(jsonPath("$.token", notNullValue()))
                .andExpect(jsonPath("$.expirationDate", notNullValue()));
         Session_model session = getResponseContentAsJavaObject(actions.andReturn().getResponse(), Session_model.class);
         Assert.assertNotNull(session);
        // Try to access secured api again 
        actions = mockMvc.perform(get("/application/" + applicationId).header("X-AUTH-TOKEN", session.getToken()))
                .andDo(MockMvcResultHandlers.print())
                .andExpect(status().isOk());
    }

    private <T> T getResponseContentAsJavaObject(MockHttpServletResponse response, Class<T> returnType) throws Exception{
        return o.readValue(response.getContentAsString(), returnType);
    }

    @Autowired
    void setConverters(HttpMessageConverter<?>[] converters) {

        this.mappingJackson2HttpMessageConverter = Arrays.asList(converters).stream().filter(
                hmc -> hmc instanceof MappingJackson2HttpMessageConverter).findAny().get();

        Assert.assertNotNull("the JSON message converter must not be null",
                this.mappingJackson2HttpMessageConverter);
    }
}

也许我误会了什么。我希望你能告诉我。

1 个答案:

答案 0 :(得分:2)

摘要

简而言之,您需要映射Spring Security以使用包含servlet路径。此外,您需要在MockMvc请求中包含servlet路径。为此,您可以执行以下操作:

@Before
public void setup() throws Exception {
    this.mockMvc = webAppContextSetup(webApplicationContext)
           // ADD LINE BELOW!!!
           .defaultRequest(get("/").servletPath(servletPath))
           .addFilter(filterChainProxy)
           .build();
}

详细回复

基于Context Root的Spring Security Matches

Spring Security的匹配器与应用程序的上下文根相关。它与servlet路径无关。这是故意的,因为它应该保护所有servlet(不仅仅是Spring MVC)。如果它与servlet相关,请考虑以下内容:

servlet1-path/abc -> Only users with role ROLE_ADMIN can access

servlet2-path/abc -> Only users with role ROLE_USER can access

如果Spring Security与servlet路径相关,您如何区分这两个映射?

在模拟MVC中工作

Spring Security在MockMvc中运行的原因是因为当您使用MockMvc时,不再考虑servlet路径。您的请求将被发送到Spring Security和Spring MVC,就像servlet路径是“”一样。要解决此问题,您需要在请求中包含servlet路径。

@Before
public void setup() throws Exception {
    this.mockMvc = webAppContextSetup(webApplicationContext)
           // ADD LINE BELOW!!!
           .defaultRequest(get("/").servletPath(servletPath))
           .addFilter(filterChainProxy)
           .build();
}
相关问题
最新问题