我正在开发一个MVC网站,您可以在其中下载内容,直到今天一切都按预期工作。我决定合并Spring Security,以保护我的URL免遭未经授权的访问和类似的攻击。</ p>
我已经成功地实现了它,而没有遇到重大问题,但是我发现确实有些奇怪。在实施Spring Security之前,我可以从网站下载PDF文件,但毕竟我可以获得的是一大堆数据: An example
我提供文件的代码如下:
public void getPdfBook(String fileName, HttpServletResponse response) {
ApplicationContext context = new ClassPathXmlApplicationContext("Spring-Module.xml");
PropertiesDAO properties = (PropertiesDAO) context.getBean("propertiesDAO");
String path = properties.getDirectory();
try {
File file = new File(path + File.separator + fileName);
if (file.exists()) {
FileUtils.copyFile(file, response.getOutputStream());
response.setContentType("application/pdf");
response.setHeader("Content-disposition", "attachment;filename=" + fileName + ".pdf");
response.flushBuffer();
} else {
System.out.println("File Not Found on: " + path + File.separator + fileName);
}
} catch (IOException exception) {
System.out.println("IOException");
System.out.println(exception.getMessage());
}
}
接下来是我的Spring Security URL配置(以及其他内容):
<security:http pattern="/registerUser" security="none" />
<security:http auto-config="true" use-expressions="true">
<security:form-login login-page="/login"
login-processing-url="/authenticateUser"
default-target-url="/"
authentication-failure-url="/login"
username-parameter="username"
password-parameter="password"/>
<security:intercept-url pattern="/login" access="permitAll" />
<security:intercept-url pattern="/newBook" access="hasAuthority('AUTH_ADMIN')" />
<security:intercept-url pattern="/**" access="hasAnyAuthority('AUTH_USER', 'AUTH_ADMIN')" />
<security:logout delete-cookies="JSESSIONID" logout-url="/logout" />
</security:http>
用于下载PDF的URL是“ / getPdfBook”,其格式为“ / **”。我可以执行请求,但是结果不正确(我发布的图片)。
有人可以帮忙吗?谢谢!!
PS:如果我使用该URL禁用了Spring Security,那么它将正常工作。
答案 0 :(得分:0)
我解决了!更改了代码:
response.setHeader("Content-disposition", "attachment;filename=" + fileName + ".pdf");
对此:
response.setHeader("Content-disposition", "inline;filename=" + fileName + ".pdf");