Spring Security XML配置不保护URL

时间:2018-10-11 10:59:37

标签: spring spring-security

我遇到了很多与此类似的问题,但找不到任何解决方案。

我正在使用Spring-3.0.5RELEASE和Spring-security-3.1.2RELEASE。 实际上,我在已经存在的应用程序中添加了Spring Security。 创建bean或过滤器没有错误,但网址不受保护。

spring-security.xml看起来像这样:

   <?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
 xmlns:beans="http://www.springframework.org/schema/beans"
 xmlns:security="http://www.springframework.org/schema/security"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://www.springframework.org/schema/beans 
 http://www.springframework.org/schema/beans/spring-beans.xsd
 http://www.springframework.org/schema/security 
 http://www.springframework.org/schema/security/spring-security-3.1.xsd">

 <security:http auto-config="true" use-expressions="true">

<!--  <intercept-url pattern="/" access="permitAll" /> -->

 <security:intercept-url pattern="/index" access="permitAll" />

 <security:intercept-url pattern="/admin"
access="hasRole('Admin')" />

 <security:intercept-url pattern="/dashboard" access="hasRole('Admin')
or hasRole('User')" />

<security:intercept-url pattern="/setup" access="hasRole('User')" />

 <!-- access denied page -->
 <security:access-denied-handler error-page="/logout" />

 <security:form-login 
 login-processing-url="/loginAuth"
 login-page="/index" 
 default-target-url="/dashboard" 
 username-parameter="username"
 password-parameter="password"
 authentication-failure-url="/index"/>
 <!-- enable csrf protection -->
<!-- <csrf/> -->
 <http-basic />
 </security:http>


 <!-- Select users and user_roles from database -->
<security:authentication-manager>
 <security:authentication-provider>
 <security:jdbc-user-service data-source-ref="dataSource"
 users-by-username-query=
 "select customerId, passcode from Users where customerId=?"
 authorities-by-username-query=
 "select customerId, roleName from Role where customerId=?" />
 </security:authentication-provider>
 </security:authentication-manager>
</beans:beans>

这里有一条警告说:未找到引用的bean'dataSource'。我不确定这是否会导致问题。

web.xml:

 <?xml version="1.0" encoding="UTF-8"?>
    <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns="http://java.sun.com/xml/ns/javaee"
        xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
        xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
        version="2.5">

    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
    </welcome-file-list>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <servlet>
        <servlet-name>sample</servlet-name>
        <servlet-class>
            org.springframework.web.servlet.DispatcherServlet
        </servlet-class>
       <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>
                /WEB-INF/config/sample-servlet.xml
            </param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>sample</servlet-name>
        <url-pattern>*.html</url-pattern>
    </servlet-mapping>
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/config/spring-security.xml
        </param-value>
    </context-param>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
</web-app>

sample-servlet.xml 

    <context:property-placeholder location="classpath:resources/database.properties" />
    <context:component-scan base-package="com.as.spark" />

    <tx:annotation-driven transaction-manager="hibernateTransactionManager"/>

    <bean id="jspViewResolver"
        class="org.springframework.web.servlet.view.InternalResourceViewResolver">
        <property name="viewClass"
            value="org.springframework.web.servlet.view.JstlView" />
        <property name="prefix" value="/WEB-INF/views/" />
        <property name="suffix" value=".jsp" />
    </bean>

    <bean id="dataSource"
        class="org.springframework.jdbc.datasource.DriverManagerDataSource">
        <property name="driverClassName" value="${database.driver}" />
        <property name="url" value="${database.url}" />
        <property name="username" value="${database.user}" />
        <property name="password" value="${database.password}" />
    </bean>

    <bean id="sessionFactory"
        class="org.springframework.orm.hibernate3.annotation.AnnotationSessionFactoryBean">
        <property name="dataSource" ref="dataSource" />
        <property name="annotatedClasses">
            <list>
                <value>com.as.spark.model.Users</value>
                <value>com.as.spark.model.Role</value>
            </list>
        </property>
        <property name="hibernateProperties">
            <!-- properties -->
        </property>
    </bean>

    <bean id="hibernateTransactionManager"
        class="org.springframework.orm.hibernate3.HibernateTransactionManager">
        <property name="sessionFactory" ref="sessionFactory" />
    </bean>
</beans>

我不想转移到Java配置,因为这需要更高版本的spring。

/ home,/ dashboard,/ admin的所有页面都向所有用户打开。 如何检查是否应用了过滤器?如何保护网址?

0 个答案:

没有答案
相关问题
最新问题