无法正确获取 spring-security.xml

【问题标题】:Can't get spring-security.xml right无法正确获取 spring-security.xml
【发布时间】:2011-08-23 20:05:46
【问题描述】:

我已经设置了 spring 安全性,可以毫无问题地对数据库进行基本身份验证,但是我想添加自定义登录/注销和管理页面,以及使用 salt 对密码进行 md5 加密。

我一直在尝试使这些功能中的任何一个起作用,并且所有在线示例似乎都是这样使用和声明的,而不是像我这样使用 bean 声明。这使它变得更加困难,因为示例中的选项似乎没有直接转换为 bean 属性。

这是我的 web.xml - 我使用的是 Spring Security 3.0:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/applicationContext.xml
        /WEB-INF/builder-servlet.xml
        /WEB-INF/builder-service.xml
        /WEB-INF/builder-data.xml
        /WEB-INF/builder-security.xml
    </param-value>
</context-param>

<servlet>
    <servlet-name>builder</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>builder</servlet-name>
    <url-pattern>*.htm</url-pattern>
    <url-pattern>*.docx</url-pattern>
</servlet-mapping>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    <init-param>
        <param-name>targetClass</param-name>
        <param-value>org.springframework.security.web.FilterChainProxy</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<session-config>
    <session-timeout>
        30
    </session-timeout>
</session-config>
<welcome-file-list>
    <welcome-file>redirect.jsp</welcome-file>
</welcome-file-list>
</web-app>

这是我的 builder-security(注意混乱):

<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:s="http://www.springframework.org/schema/security"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://www.springframework.org/schema/beans
                        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security
                        http://www.springframework.org/schema/security/spring-security-3.0.xsd">

<!--<s:authentication-manager>
    <s:authentication-provider ref="authenticationProvider"/>
</s:authentication-manager>-->

<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
    <s:filter-chain-map path-type="ant">
        <s:filter-chain pattern="/**"
            filters="securityContextPersistenceFilter,
                    exceptionTranslationFilter,
                    authenticationProcessingFilter,
                    filterSecurityInterceptor,
                    anonymousAuthenticationFilter"/>
    </s:filter-chain-map>
</bean>

<bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter"/>

<bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter">
    <property name="authenticationEntryPoint" ref="authenticationEntryPoint"/>
</bean>

<bean id="authenticationProcessingFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="authenticationEntryPoint" ref="authenticationEntryPoint"/>
</bean>

<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
    <property name="providers">
        <list>
            <ref bean="authenticationProvider"/>
            <ref bean="anonymousAuthenticationProvider"/>
        </list>
    </property>
</bean>

<bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <!--<property name="passwordEncoder" ref="md5PasswordEncoder"/>-->
    <!--<property name="saltSource" ref="systemWideSaltSource"/>-->
    <property name="userDetailsService" ref="authenticationDao"/>
    <property name="userCache" ref="userCache"/>
</bean>

<bean id="md5PasswordEncoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder">

</bean>

<bean id="systemWideSaltSource" class="org.springframework.security.authentication.dao.SystemWideSaltSource">
    <property name="systemWideSalt" value="XXXX"/>
</bean>

<bean id="userCache" class="org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache">
    <property name="cache" ref="ehcache"/>
</bean>

<bean id="ehcache" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
    <property name="cacheManager" ref="cacheManager"/>
    <property name="cacheName" value="userCache"/>
</bean>

<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
    <property name="configLocation" value="ehcache.xml"/>
</bean>

<bean id="authenticationDao" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
    <property name="dataSource" ref="dataSource"/>
</bean>

<!--<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
    <property name="realmName" value="SpecBuilder"/>
</bean>-->
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <property name="loginFormUrl" value="/login.html"/>
</bean>

<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
    <property name="decisionVoters">
        <list>
            <ref bean="voter"/>
        </list>
    </property>
</bean>

<bean id="voter" class="org.springframework.security.access.vote.RoleVoter">
    <property name="rolePrefix" value="ROLE_"/>
</bean>

<bean id="anonymousAuthenticationFilter" class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
    <property name="key" value="foobar"/>
    <property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
</bean>

<bean id="anonymousAuthenticationProvider" class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
    <property name="key" value="foobar"/>
</bean>

<bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="accessDecisionManager" ref="accessDecisionManager"/>
    <property name="objectDefinitionSource">
        <s:filter-invocation-definition-source>
            <s:intercept-url pattern="/login*" access="ROLE_ANONYMOUS"/>
            <s:intercept-url pattern="/**" access="ROLE_USER"/> <!-- isAuthenticated() probably better -->
        </s:filter-invocation-definition-source>
    </property>
</bean>

</beans>

现在我正在尝试让 login.html 进行所有匿名访问,但我得到的只是一个无限的安全循环。

我是否有理由不为此使用 bean 声明?因为似乎没有多少人这样做。如果这样做没有好处,我宁愿不改变整个事情。它肯定有问题,或者有更好的地方去获取 bean 声明引用和示例,因为大多数搜索都会出现另一种实现 spring 安全性的方式。

【问题讨论】:

    标签: java spring-security javabeans servlet-filters


    【解决方案1】:

    经过大量研究和测试,我已经解决了这个问题。 内置的安全命名空间为您完成了大量工作。逐个创建每个过滤器和管理器 bean 是一种自定义事物的好方法,但它会变得相当困难,而且并不是真正必要的。

    我的最终代码涉及一个自定义用户类,其中包含一个盐值和一个自定义 dao 类以强制使用盐。其他一切都是通过使用安全命名空间来完成的。

    builder-security.xml

    <beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:s="http://www.springframework.org/schema/security"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://www.springframework.org/schema/beans
                        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security
                        http://www.springframework.org/schema/security/spring-security-3.0.xsd">

<s:http auto-config="true" use-expressions="true">
    <s:intercept-url pattern="/login*" access="permitAll"/>
    <s:intercept-url pattern="/*" access="hasRole('ROLE_USER') or hasRole('ROLE_ADMIN')"/>
    <s:form-login login-page="/login.html"/>
    <s:logout logout-url="/logout"/>
</s:http>

<s:authentication-manager alias="authenticationManager">
    <s:authentication-provider user-service-ref="userDetailsService">
        <s:password-encoder ref="passwordEncoder">
            <s:salt-source ref="saltSource"/>
        </s:password-encoder>            
    </s:authentication-provider>
</s:authentication-manager>

<bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"/>

<bean class="org.springframework.security.authentication.dao.ReflectionSaltSource" id="saltSource">
    <property name="userPropertyToUse" value="salt"/>
</bean>

<bean id="userDetailsService" class="builder.webapp.security.CustomJdbcDaoImpl">
    <property name="dataSource" ref="dataSource"/>
    <property name="enableAuthorities" value="true"/>
    <property name="enableGroups" value="false"/>
    <property name="usersByUsernameQuery"
              value="select username,password,enabled,salt from users where username = ?"/>
</bean>

</beans>

    【讨论】:

      【解决方案2】:

      一步一步的spring安全解释:

      http://blog.solidcraft.eu/2011/03/spring-security-by-example-set-up-and.html

      祝你好运!

      【讨论】:

        猜你喜欢
        • 1970-01-01
        • 1970-01-01
        • 1970-01-01
        • 1970-01-01
        • 1970-01-01
        • 1970-01-01
        • 2013-04-17
        • 1970-01-01
        相关资源
        最近更新 更多
        热门标签
        Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode