我在stackoverflow上搜索和搜索但我没有成功
我试图在我的网络应用中设置spring security。我使用和嵌入了jetty和这些弹簧版本:
我编写了以下安全配置(非常简单)
@Configuration
@EnableWebSecurity
public class WebSecurityCfg extends WebSecurityConfigurerAdapter
{
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception
{
auth.inMemoryAuthentication().withUser("admin").password("123456").roles("ADMIN");
}
@Override
protected void configure(HttpSecurity http) throws Exception
{
http
.authorizeRequests()
.antMatchers("/adminWebTheme/**")
.permitAll()
.antMatchers("/pages/**")
.access("hasRole('ADMIN')")
.and()
.formLogin()
.loginPage("/pages/loginPage")
.permitAll()
.usernameParameter("username")
.passwordParameter("password")
.defaultSuccessUrl("/pages/adminHome")
.failureUrl("/pages/loginPage?error=true")
.and()
.logout()
.permitAll()
.logoutSuccessUrl("/pages/loginPage?logout=true")
.and()
.csrf();
}
}
这是我的安全初始化程序
public class WebSecurityInitializer extends AbstractSecurityWebApplicationInitializer
{
}
基本上我想使用自定义登录表单。 这是我的登录JSP主体:
<%@ taglib uri="http://tiles.apache.org/tags-tiles" prefix="tiles"%>
<%@ taglib prefix="spring" uri="http://www.springframework.org/tags"%>
<%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<tiles:insertDefinition name="loginPageTemplate">
<tiles:putAttribute name="head">
<title><spring:message code="comm.server.login.page.title" /></title>
</tiles:putAttribute>
<tiles:putAttribute name="body">
<div class="container">
<div class="row">
<div class="col-md-4 col-md-offset-4">
<div class="login-panel panel panel-default">
<div class="panel-heading">
<h3 class="panel-title"><spring:message code="comm.server.login.msg" /></h3>
</div>
<div class="panel-body">
<c:if test="${not empty param.error && param.error }">
<div class="alert alert-error">
<spring:message code="comm.server.login.error.msg" />
</div>
</c:if>
<c:if test="${not empty param.logout && param.logout }">
<div class="alert alert-succes">
<spring:message code="comm.server.login.logout.msg" />
</div>
</c:if>
<form role="form" method="post" action='<spring:url value="/login" />'>
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>.
<fieldset>
<div class="input-group input-sm">
<label class="input-group-addon" for="username"><i class="fa fa-user"></i></label>
<input class="form-control" placeholder='<spring:message code="comm.server.login.username.placeholder" />' name="username" id="username"
type="text" autofocus>
</div>
<div class="input-group input-sm">
<label class="input-group-addon" for="password"><i class="fa fa-lock"></i></label>
<input class="form-control" placeholder='<spring:message code="comm.server.login.password.placeholder" />'
name="password" id="password" type="password" value="">
</div>
<div class="checkbox">
<label> <input name="remember" id="remember" type="checkbox"
value='<spring:message code="comm.server.login.rememberme" />'><spring:message code="comm.server.login.rememberme" />
</label>
</div>
<!-- Change this to a button or input when using this as a form -->
<!-- <a href="index.html" class="btn btn-lg btn-success btn-block">Login</a> -->
<button id="accedi" name="accedi" class="btn btn-lg btn-success btn-block"><spring:message code="comm.server.login.button" /></button>
</fieldset>
</form>
</div>
</div>
</div>
</div>
</div>
</tiles:putAttribute>
</tiles:insertDefinition>
从以前的代码来看,我认为都是正确的。我尝试访问登录页面,我可以成功访问该页面。 现在我有两种问题:
按照以前的行为,它就像春天的设防根本没有被召唤,我无法想象这一点 当我启动我的应用程序时,我看到以下日志:
2017-01-01 12:11:47,470 5469 [main] INFO org.apache.tiles.access.TilesAccess - Publishing TilesContext for context: org.springframework.web.servlet.view.tiles3.SpringWildcardServletTilesApplicationContext
2017-01-01 12:11:47,522 5521 [main] DEBUG o.s.s.c.a.a.c.AuthenticationConfiguration$EnableGlobalAuthenticationAutowiredConfigurer - Eagerly initializing {webSecurityCfg=it.eng.tz.comm.svr.web.config.WebSecurityCfg$$EnhancerBySpringCGLIB$$26b9578a@16a49a5d}
2017-01-01 12:11:47,679 5678 [main] DEBUG o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource - Adding web access control expression 'permitAll', for ExactUrl [processUrl='/pages/loginPage?error=true']
2017-01-01 12:11:47,680 5679 [main] DEBUG o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource - Adding web access control expression 'permitAll', for ExactUrl [processUrl='/pages/loginPage']
2017-01-01 12:11:47,681 5680 [main] DEBUG o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource - Adding web access control expression 'permitAll', for ExactUrl [processUrl='/pages/loginPage']
2017-01-01 12:11:47,682 5681 [main] DEBUG o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource - Adding web access control expression 'permitAll', for Ant [pattern='/logout', POST]
2017-01-01 12:11:47,682 5681 [main] DEBUG o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource - Adding web access control expression 'permitAll', for ExactUrl [processUrl='/pages/loginPage?logout=true']
2017-01-01 12:11:47,682 5681 [main] DEBUG o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource - Adding web access control expression 'permitAll', for Ant [pattern='/adminWebTheme/**']
2017-01-01 12:11:47,683 5682 [main] DEBUG o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource - Adding web access control expression 'hasRole('ADMIN')', for Ant [pattern='/pages/**']
2017-01-01 12:11:47,693 5692 [main] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Validated configuration attributes
2017-01-01 12:11:47,695 5694 [main] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Validated configuration attributes
2017-01-01 12:11:47,713 5712 [main] INFO o.s.s.w.DefaultSecurityFilterChain - Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@3a175162, org.springframework.security.web.context.SecurityContextPersistenceFilter@18acfe88, org.springframework.security.web.header.HeaderWriterFilter@7fd8c559, org.springframework.security.web.csrf.CsrfFilter@5c534b5b, org.springframework.security.web.authentication.logout.LogoutFilter@3a543f31, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@7569ea63, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@772861aa, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@7c1e32c9, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@1640190a, org.springframework.security.web.session.SessionManagementFilter@8f2098e, org.springframework.security.web.access.ExceptionTranslationFilter@53ed09e8, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@4743a322]
现在我觉得所有配置都正确....但我无法保护我的网络应用程序 有人能帮助我吗?
谢谢 安吉洛
建议更新
正如所建议的,我通过执行以下操作修改了我的Spring安全配置:
@Override
protected void configure(HttpSecurity http) throws Exception
{
http
.authorizeRequests()
.antMatchers("/adminWebTheme/**")
.permitAll()
.antMatchers("/pages/**")
.authenticated()
.antMatchers("/pages/**")
.access("hasRole('ADMIN')")
.and()
.formLogin()
.loginPage("/pages/loginPage")
.permitAll()
.usernameParameter("username")
.passwordParameter("password")
.defaultSuccessUrl("/pages/adminHome")
.failureUrl("/pages/loginPage?error")
.and()
.logout()
.permitAll()
.logoutSuccessUrl("/pages/loginPage?logout")
.and()
.csrf()
.and()
.exceptionHandling()
.accessDeniedPage("/pages/accessDenied");
}
没有任何改变。在我看来,如果Spring安全过滤器没有拦截网址......而且我不知道原因。我确定这是一个配置问题,但我无法确定我错在哪里......
安吉洛
答案 0 :(得分:0)
我想到了我所缺少的东西
我使用并嵌入了Jetty,我手动添加了spring dispatcher servlet 所以我不得不添加Spring安全过滤器.... 在我的码头,我添加了以下内容(最重要的是secFilter部分):
DispatcherServlet springSvlt = new DispatcherServlet(context);
contextHandler.addServlet(new ServletHolder(springSvlt), MAPPING_URL);
contextHandler.addEventListener(new ContextLoaderListener(context));
contextHandler.setResourceBase(new ClassPathResource("webapp").getURI().toString());
//Filtro eTag
ServletHandler sh = new ServletHandler();
FilterHolder eTagFilter = sh.addFilterWithMapping(ShallowEtagHeaderFilter.class, "/*", EnumSet.of(DispatcherType.REQUEST));
contextHandler.addFilter(eTagFilter, "/*", EnumSet.of(DispatcherType.REQUEST));
//Filtro Gzip
FilterHolder gZipFilter = sh.addFilterWithMapping(ShallowEtagHeaderFilter.class, "/*", EnumSet.of(DispatcherType.REQUEST));
gZipFilter.setInitParameter("varyHeader", "true");
contextHandler.addFilter(gZipFilter, "/*", EnumSet.of(DispatcherType.REQUEST));
// //Filtro sicurezza
FilterHolder secFilter = new FilterHolder( new DelegatingFilterProxy("springSecurityFilterChain") );
contextHandler.addFilter(secFilter, "/*", EnumSet.allOf(DispatcherType.class));
现在它可以正常工作
谢谢大家,我希望这可能有用
安吉洛