Question

我设置了spring security，对数据库进行基本身份验证没有问题，但我想在密码为盐的情况下添加自定义登录/注销和管理页面以及md5加密。

我一直试图让这些功能中的任何一个工作，并且所有在线示例似乎都在使用和声明，而不是像我一样使用bean声明。这使得它更加困难，因为示例中的选项似乎并不直接转换为bean属性。

这是我的web.xml - 我正在使用Spring Security 3.0：

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/applicationContext.xml
        /WEB-INF/builder-servlet.xml
        /WEB-INF/builder-service.xml
        /WEB-INF/builder-data.xml
        /WEB-INF/builder-security.xml
    </param-value>
</context-param>

<servlet>
    <servlet-name>builder</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>builder</servlet-name>
    <url-pattern>*.htm</url-pattern>
    <url-pattern>*.docx</url-pattern>
</servlet-mapping>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    <init-param>
        <param-name>targetClass</param-name>
        <param-value>org.springframework.security.web.FilterChainProxy</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<session-config>
    <session-timeout>
        30
    </session-timeout>
</session-config>
<welcome-file-list>
    <welcome-file>redirect.jsp</welcome-file>
</welcome-file-list>
</web-app>

这是我的建设者 - 安全（介意解体）：

<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:s="http://www.springframework.org/schema/security"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://www.springframework.org/schema/beans
                        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security
                        http://www.springframework.org/schema/security/spring-security-3.0.xsd">

<!--<s:authentication-manager>
    <s:authentication-provider ref="authenticationProvider"/>
</s:authentication-manager>-->

<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
    <s:filter-chain-map path-type="ant">
        <s:filter-chain pattern="/**"
            filters="securityContextPersistenceFilter,
                    exceptionTranslationFilter,
                    authenticationProcessingFilter,
                    filterSecurityInterceptor,
                    anonymousAuthenticationFilter"/>
    </s:filter-chain-map>
</bean>

<bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter"/>

<bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter">
    <property name="authenticationEntryPoint" ref="authenticationEntryPoint"/>
</bean>

<bean id="authenticationProcessingFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="authenticationEntryPoint" ref="authenticationEntryPoint"/>
</bean>

<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
    <property name="providers">
        <list>
            <ref bean="authenticationProvider"/>
            <ref bean="anonymousAuthenticationProvider"/>
        </list>
    </property>
</bean>

<bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <!--<property name="passwordEncoder" ref="md5PasswordEncoder"/>-->
    <!--<property name="saltSource" ref="systemWideSaltSource"/>-->
    <property name="userDetailsService" ref="authenticationDao"/>
    <property name="userCache" ref="userCache"/>
</bean>

<bean id="md5PasswordEncoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder">

</bean>

<bean id="systemWideSaltSource" class="org.springframework.security.authentication.dao.SystemWideSaltSource">
    <property name="systemWideSalt" value="XXXX"/>
</bean>

<bean id="userCache" class="org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache">
    <property name="cache" ref="ehcache"/>
</bean>

<bean id="ehcache" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
    <property name="cacheManager" ref="cacheManager"/>
    <property name="cacheName" value="userCache"/>
</bean>

<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
    <property name="configLocation" value="ehcache.xml"/>
</bean>

<bean id="authenticationDao" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
    <property name="dataSource" ref="dataSource"/>
</bean>

<!--<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
    <property name="realmName" value="SpecBuilder"/>
</bean>-->
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <property name="loginFormUrl" value="/login.html"/>
</bean>

<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
    <property name="decisionVoters">
        <list>
            <ref bean="voter"/>
        </list>
    </property>
</bean>

<bean id="voter" class="org.springframework.security.access.vote.RoleVoter">
    <property name="rolePrefix" value="ROLE_"/>
</bean>

<bean id="anonymousAuthenticationFilter" class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
    <property name="key" value="foobar"/>
    <property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
</bean>

<bean id="anonymousAuthenticationProvider" class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
    <property name="key" value="foobar"/>
</bean>

<bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="accessDecisionManager" ref="accessDecisionManager"/>
    <property name="objectDefinitionSource">
        <s:filter-invocation-definition-source>
            <s:intercept-url pattern="/login*" access="ROLE_ANONYMOUS"/>
            <s:intercept-url pattern="/**" access="ROLE_USER"/> <!-- isAuthenticated() probably better -->
        </s:filter-invocation-definition-source>
    </property>
</bean>

</beans>

现在我正在尝试将login.html用于所有匿名访问，但我得到的只是一个无限的安全循环。

我不应该为此使用bean声明吗？因为似乎不是很多人这样做。如果做到这一点没有任何好处，我宁愿不改变整个事情。它必须有一些问题或更好的地方去获取bean声明参考和示例，因为大多数搜索都会提供另一种实现spring security的方式。

Answer 1

分步弹簧安全解释：

http://blog.solidcraft.eu/2011/03/spring-security-by-example-set-up-and.html

祝你好运！

Answer 2

经过一番研究和测试，我已经解决了。内置的安全命名空间为您完成了大量工作。使用bean创建每个过滤器和管理器bean是一种自定义事物的好方法，但它使得它变得更加困难并且不是必需的。

我的最终代码涉及一个自定义用户类，其中包含一个salt值和一个自定义dao类来强制使用salt。其他一切都是通过使用安全命名空间来完成的。

助洗剂-security.xml文件

<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:s="http://www.springframework.org/schema/security"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://www.springframework.org/schema/beans
                        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security
                        http://www.springframework.org/schema/security/spring-security-3.0.xsd">

<s:http auto-config="true" use-expressions="true">
    <s:intercept-url pattern="/login*" access="permitAll"/>
    <s:intercept-url pattern="/*" access="hasRole('ROLE_USER') or hasRole('ROLE_ADMIN')"/>
    <s:form-login login-page="/login.html"/>
    <s:logout logout-url="/logout"/>
</s:http>

<s:authentication-manager alias="authenticationManager">
    <s:authentication-provider user-service-ref="userDetailsService">
        <s:password-encoder ref="passwordEncoder">
            <s:salt-source ref="saltSource"/>
        </s:password-encoder>            
    </s:authentication-provider>
</s:authentication-manager>

<bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"/>

<bean class="org.springframework.security.authentication.dao.ReflectionSaltSource" id="saltSource">
    <property name="userPropertyToUse" value="salt"/>
</bean>

<bean id="userDetailsService" class="builder.webapp.security.CustomJdbcDaoImpl">
    <property name="dataSource" ref="dataSource"/>
    <property name="enableAuthorities" value="true"/>
    <property name="enableGroups" value="false"/>
    <property name="usersByUsernameQuery"
              value="select username,password,enabled,salt from users where username = ?"/>
</bean>

</beans>

无法获得spring-security.xml

2 个答案: