非 Spring Boot 应用程序的 Spring 安全性不起作用

Question

我在 Spring 4 中尝试为我的端点启用基本身份验证。但它似乎没有做任何事情。

有什么想法吗？

如果我下断点，我只能看到服务器启动时调用了configure方法。

package org.example;

import org.springframework.validation.annotation.Validated;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
@Validated
public class MyController {
    @RequestMapping(value = "/health")
    public String health() {
        return "OK";
    }
    @RequestMapping(value = "/getdata")
    public String getData() {
        return "data";
    }
}

package org.example;

import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;


@EnableWebSecurity
public class BasicAuthConfig extends WebSecurityConfigurerAdapter {

    // Authentication : User --> Roles
    @Override
    protected void configure(AuthenticationManagerBuilder auth)
            throws Exception {
        auth.inMemoryAuthentication()
                .withUser("appuser")
                .password("{noop}apipassword")
                .roles("USER");
    }
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                //HTTP Basic authentication
                .httpBasic()
                .and()
                .authorizeRequests()
                .antMatchers(HttpMethod.GET, "/rest/**").hasRole("USER")
                .antMatchers(HttpMethod.POST, "/cxf/**").hasRole("USER")
                .and()
                .csrf().disable()
                .formLogin().disable();
    }
}

我的 web.xml

 
<!DOCTYPE web-app PUBLIC
 "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
 "http://java.sun.com/dtd/web-app_2_3.dtd" >

<web-app>
  <display-name>Archetype Created Web Application</display-name>

  <context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/applicationContext.xml</param-value>
  </context-param>
  <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
  </listener>
  <servlet>
    <servlet-name>cxf</servlet-name>
    <display-name>CXF Servlet</display-name>
    <servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
    <load-on-startup>101</load-on-startup>
    <init-param>
      <param-name>use-x-forwarded-headers</param-name>
      <param-value>true</param-value>
    </init-param>
  </servlet>
  <servlet>
    <servlet-name>rest</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>103</load-on-startup>
  </servlet>

  <servlet-mapping>
    <servlet-name>rest</servlet-name>
    <url-pattern>/rest/*</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>cxf</servlet-name>
    <url-pattern>/cxf/*</url-pattern>
  </servlet-mapping>
</web-app>

http://localhost:8080/TestWeb3/rest/health 无需身份验证仍可访问

Answer 1

原来我需要在 web.xml 中连接一个安全过滤器，如下所示

  <!-- Spring Security -->
  <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>