这是我正在研究的练习项目,学习Spring Security和OAuth2。
链接到项目的zip - https://drive.google.com/open?id=0BxsYBg5XwboXdkpUdkhXWUd1Vmc
只要我添加以下课程,我的自动服务就会失败:( 它给出了NullPointerException。
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
return new OAuth2MethodSecurityExpressionHandler();
}
}
我在下面的休息控制器中得到NullPointerException userService。
@RestController
@RequestMapping("/api/user")
public class UserCtrl {
@Autowired
@Qualifier("userService")
UserService userService;
@PreAuthorize("#oauth2.hasScope('write')")
@RequestMapping(method=RequestMethod.POST,consumes="application/json")
private @ResponseBody ResponseMessage registerUser(@RequestBody User user){
user.setUser_id(-1);
return userService.createUser(user);
}
@PreAuthorize("#oauth2.hasScope('none')")
@RequestMapping(method=RequestMethod.GET)
private @ResponseBody ResponseMessage loginUser(){
CustomUserDetails temp = (CustomUserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
System.out.println(temp.getUsername() + " logged in");
ResponseMessage message = userService.getUserByUsername(temp.getUsername());
if(message.getCode() == ResponseMessage.CODE_NOT_FOUND){
return message;
}else{
temp.setUser((User)message.getData());
}
return userService.loginUser(temp.getUser().getUsername(),temp.getUser().getPassword());
}
@PreAuthorize("hasRole('ROLE_USER')")
@RequestMapping(method=RequestMethod.PUT,consumes="application/json")
private @ResponseBody ResponseMessage updateUser(@RequestBody User user){
return userService.updateUser(user);
}
@PreAuthorize("hasRole('ROLE_USER')")
@RequestMapping(method=RequestMethod.DELETE,consumes="application/json")
private @ResponseBody ResponseMessage deleteUser(@RequestBody User user){
return userService.deleteUser(user.getUser_id());
}
}
以下是我定义服务的方式:
@Service("userService")
public class UserServiceImpl implements UserService {
@Autowired
private UserDAO userDAO;
@Autowired
private RoleService roleService;
public UserServiceImpl() {
System.out.println("service");
}
@Override
@Transactional
public ResponseMessage createUser(User user) {
if (null == userDAO.getUserByUsername(user.getUsername())) {
int id = userDAO.createUser(user);
user.setUser_id(id);
roleService.createRole(new Role(RoleType.ROLE_USER, user));
return new ResponseMessage(ResponseMessage.CODE_CREATED, ResponseMessage.DESC_CREATED, user);
} else {
return new ResponseMessage(ResponseMessage.CODE_EXISTS, ResponseMessage.DESC_EXISTS, user);
}
}
Mvc配置:
@EnableWebMvc
@Configuration
@ComponentScan({"com.rawal.sweetnote.*"})
public class WebMvcConfig extends WebMvcConfigurerAdapter{
@Override
public void configureDefaultServletHandling(DefaultServletHandlerConfigurer configurer) {
configurer.enable();
}
}
Spring安全配置:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
@Qualifier("userService")
UserService userDetailsService;
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
}
}
安全初始化程序:
@Order(1)
public class SpringSecurityInitializer extends AbstractSecurityWebApplicationInitializer{
}
DispatcherServletInitializer
public class AppInit extends AbstractAnnotationConfigDispatcherServletInitializer{
@Override
protected Class<?>[] getRootConfigClasses() {
// TODO Auto-generated method stub
return new Class[]{MethodSecurityConfig.class,WebMvcConfig.class};
}
@Override
protected Class<?>[] getServletConfigClasses() {
// TODO Auto-generated method stub
return null;
}
@Override
protected String[] getServletMappings() {
// TODO Auto-generated method stub
return new String[]{"/"};
}
}
Hibernate配置:
@Configuration
@EnableTransactionManagement
@PropertySource(value = { "classpath:app.properties" })
public class HibernateConfig {
/**
* This field is automatically injected by the spring framework from app.properties
*/
@Autowired
private Environment environment;
/**
* Creates a session factory
* @return {@link SessionFactory}
*/
@Bean
public LocalSessionFactoryBean sessionFactory() {
LocalSessionFactoryBean sessionFactory = new LocalSessionFactoryBean();
sessionFactory.setDataSource(dataSource());
sessionFactory.setPackagesToScan(new String[] { "com.rawal.sweetnote.entities" });
sessionFactory.setHibernateProperties(hibernateProperties());
return sessionFactory;
}
/**
* Creates a datasource after setting various database properties
* @return {@link DataSource}
*/
@Bean
public DataSource dataSource() {
DriverManagerDataSource dataSource = new DriverManagerDataSource();
dataSource.setDriverClassName(environment.getRequiredProperty("db.drivername"));
dataSource.setUrl(environment.getRequiredProperty("db.url"));
dataSource.setUsername(environment.getRequiredProperty("db.username"));
dataSource.setPassword(environment.getRequiredProperty("db.password"));
return dataSource;
}
/**
* Sets up the hibernate properties and returns an instance of it
* @return {@link Properties}
*/
private Properties hibernateProperties() {
Properties properties = new Properties();
properties.put("hibernate.dialect", environment.getRequiredProperty("hibernate.dialect"));
properties.put("hibernate.show_sql", environment.getRequiredProperty("hibernate.show_sql"));
return properties;
}
/**
* Creates a transaction manager using the sessionfactory injected by spring and returns an instance of it
* @param {@link SessionFactory}
* @return {@link HibernateTransactionManager}
*/
@Bean
@Autowired
public HibernateTransactionManager transactionManager(SessionFactory s) {
HibernateTransactionManager txManager = new HibernateTransactionManager();
txManager.setSessionFactory(s);
return txManager;
}
/**
* Creates a hibernate template instance from the injected session factory.
* We use this to perform various db transactions.
* @param {@link SessionFactory}
* @return
*/
@Bean
@Autowired
public HibernateTemplate hibernateTemplate(SessionFactory sessionFactory) {
HibernateTemplate hibernateTemplate = new HibernateTemplate();
hibernateTemplate.setSessionFactory(sessionFactory);
return hibernateTemplate;
}
}
OAuth2资源配置
@Configuration
@EnableResourceServer
public class OAuthResourceConfig extends ResourceServerConfigurerAdapter{
private static final String RESOURCE_ID = "restservice";
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/api/**").authenticated()
.antMatchers("/register").permitAll()
.and().formLogin().permitAll()
.and().logout().permitAll()
.and().csrf().disable();
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId(RESOURCE_ID).stateless(false);
}
}
OAuth2服务器配置
@Configuration
@EnableAuthorizationServer
@PropertySource("classpath:app.properties")
public class OAuthServerConfig extends AuthorizationServerConfigurerAdapter{
@Autowired
private Environment env;
@Autowired
private UserService userDetailsService;
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(tokenStore()).tokenEnhancer(tokenEnhancer()).authenticationManager(authenticationManager).userDetailsService(userDetailsService);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.allowFormAuthenticationForClients();
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory().withClient("client")
.authorizedGrantTypes("password","refresh_token","implicit")
.scopes("read","write","trust")
.refreshTokenValiditySeconds(Integer.parseInt(env.getProperty("refresh_token_validity")))
.accessTokenValiditySeconds(Integer.parseInt(env.getProperty("access_token_validity")));
}
@Bean
public TokenStore tokenStore() {
InMemoryTokenStore store = new InMemoryTokenStore();
store.setAuthenticationKeyGenerator(new UniqueAuthenticationKeyGenerator());
return store;
}
@Bean
public TokenEnhancer tokenEnhancer() {
return new CustomTokenEnhancer();
}
}
异常的Stacktrace:
java.lang.NullPointerException
com.rawal.sweetnote.controllers.UserCtrl.loginUser(UserCtrl.java:40)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:221)
org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:136)
org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:114)
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:827)
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:738)
org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:963)
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:897)
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)
javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317)
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:127)
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:115)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:169)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:177)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter.doFilter(OAuth2AuthenticationProcessingFilter.java:176)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:121)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1099)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:670)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
更新1
修改了如下的用户控制器(添加了greet1()和greet2())。 现在有趣的是,UserService属性对于这些新方法不是空的。 但是对于其他方法它仍然是空的。
@PreAuthorize("hasRole('ROLE_ADMIN')")
@RequestMapping("/greet")
public String greet() {
System.out.println(service.sayHello());
return "Hello";
}
@PreAuthorize("hasRole('ROLE_USER')")
@RequestMapping("/greet2")
public String greet2() {
System.out.println(service.sayHello());
return "Hello";
}
@PreAuthorize("hasRole('ROLE_ADMIN')")
@RequestMapping(method=RequestMethod.POST,consumes="application/json")
private @ResponseBody ResponseMessage registerUser(@RequestBody User user){
user.setUser_id(-1);
return service.createUser(user);
}
@PreAuthorize("hasRole('ROLE_USER')")
@RequestMapping(path="/",method=RequestMethod.GET)
private @ResponseBody ResponseMessage loginUser(){
CustomUserDetails temp = (CustomUserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
System.out.println(temp.getUsername() + " logged in");
service.sayHello();
ResponseMessage message = service.getUserByUsername(temp.getUsername());
if(message.getCode() == ResponseMessage.CODE_NOT_FOUND){
return message;
}else{
temp.setUser((User)message.getData());
}
return service.loginUser(temp.getUser().getUsername(),temp.getUser().getPassword());
}
但是,如果我禁用prePostEnabled,一切正常。这感觉真的很蠢!帮助!!!!!
答案 0 :(得分:2)
好的,这真是愚蠢的&#34;我&#34;。 我只是注意到我的控制器中的所有方法都是私有的。 :( 公开解决问题。
无论其!!!!!当@EnableGlobalMethodSecurity(prePostEnabled = true)设置为false时,我仍然感觉很好。
如果你明白了,请评论。
希望这可以帮助像我一样愚蠢的人。 :/
答案 1 :(得分:0)
确保您的控制器为public而不是private
例如
@PreAuthorize("hasRole('ROLE_ADMIN')")
@RequestMapping(method=RequestMethod.POST,consumes="application/json")
public ResponseMessage registerUser(@RequestBody User user){
// your code here
}