【问题标题】:Securize Struts2 namespaces with Spring Security使用 Spring Security 保护 Struts2 命名空间
【发布时间】:2012-10-20 21:44:07
【问题描述】:

我尝试使用 Spring Security 3.0.5 保护我的 struts 2 应用程序。

我在 web.xml 中声明:

      <!-- Tiles --> 
  <context-param> 
    <param-name> org.apache.tiles.impl.BasicTilesContainer.DEFINITIONS_CONFIG </param-name> 
    <param-value>/WEB-INF/conf/tiles.xml</param-value> 
  </context-param> 
  <listener> 
    <listener-class>org.apache.struts2.tiles.StrutsTilesListener</listener-class> 
  </listener> 

<!-- Files defining SPRING ApplicationContext -->   
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/conf/spring-security.xml,/WEB-INF/conf/application.xml</param-value>
    </context-param>

    <context-param>
        <param-name>locatorFactorySelector</param-name>
        <param-value>classpath:/model/config/beans.xml</param-value>
    </context-param>
    <context-param>
        <param-name>parentContextKey</param-name>
        <param-value>context</param-value>
    </context-param>

    <!-- Filter for security -->
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <!-- Struts 2 --> 
  <filter> 
    <filter-name>struts2</filter-name> 
    <filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class> 
  </filter> 
  <filter-mapping> 
    <filter-name>struts2</filter-name> 
    <url-pattern>/*</url-pattern> 
  </filter-mapping> 
     <!-- Spring --> 


    <!-- Open session filter - binds a Hibernate Session to the thread for the entire processing of the request  -->
    <filter>
        <filter-name>HibernateFilter</filter-name>
        <filter-class>org.springframework.orm.hibernate3.support.OpenSessionInViewFilter</filter-class>
        <init-param>
              <param-name>sessionFactoryBeanName</param-name> 
              <param-value>hibernateSessionFactory</param-value>
        </init-param>
    </filter>

        <!-- Filter for Character Encoding -->
    <filter>
        <filter-name>CharacterEncodingFilter</filter-name>
        <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
        <init-param>
            <param-name>encoding</param-name>
            <param-value>UTF-8</param-value>
        </init-param>
    </filter>


    <!-- Mapping for pages to filter -->
    <filter-mapping>
        <filter-name>HibernateFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>CharacterEncodingFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>


<listener>
   <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
        <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>


  <welcome-file-list>
    <welcome-file>index.html</welcome-file>
  </welcome-file-list>

然后在我的struts.xml中:

<struts> 
  <!-- internationalisation --> 
  <constant name="struts.custom.i18n.resources" value="messages" /> 
  <!-- intégration Spring --> 
  <constant name="struts.objectFactory.spring.autoWire" value="name" />

  <package name="searchMandate" namespace="/search" extends="struts-default, tiles-default"> 
   <action name="MandateSearchActionInit"  class="web.action.mandate.SearchAction" method="initSearch"> 
      <result name="input" type="tiles">search</result> 
      <result name="success" type="tiles">search</result> 
    </action> 
    </package>
     <package name="userProfile" namespace="/profile" extends="struts-default, tiles-default"> 
        <action name="ChangeProfileInit"  class="web.action.user.ProfileAction" method="loadProfile"> 
           <result name="input" type="tiles">updateProfile</result> 
         </action> 
    </package>
</struts> 

我的 spring-security.xml :

     <beans:bean id="springSecurityFilterChain" class="org.springframework.security.util.FilterChainProxy">
        <filter-chain-map path-type="ant">
            <filter-chain pattern="/**" filters="sif"/>
        </filter-chain-map>
    </beans:bean>

    <http use-expressions="true">
        <intercept-url pattern="/profile*" access="isAuthenticated()" />
        <intercept-url pattern="/search*" access="hasRole('SEARCH')"/>
        <form-login login-page="/login" default-target-url="/welcome"
            authentication-failure-url="/loginfailed" />
        <logout logout-success-url="/logout" />
    </http>



    <authentication-manager>
        <authentication-provider>
            <password-encoder ref="passwordEncoder" />
            <jdbc-user-service data-source-ref="dataSource"

                users-by-username-query="
                    select login,password, isactive 
                    from tuser where LOGIN=?" 

                authorities-by-username-query="
                    select u.login, ur.name from tuser u,tgroup g, trolegroup rg, trole ur 
                    where u.groupid = g.groupid and g.groupid=rg.groupid and rg.roleid=ur.roleid and u.login =?  " 

            />
        </authentication-provider>
    </authentication-manager>

我认为安全性已经到位,阅读“INFO 20-10 23:26:55,620 - 为 /search* 创建访问控制表达式属性 'hasRole('SEARCH')'”作为服务器启动。但是当我访问 search/MandateSearchActionInit url 时,我在没有被路由到登录页面的情况下进行操作。 有人有钥匙吗?

【问题讨论】:

  • 对不起。忘记这个愚蠢的问题。一切都很好,但拦截网址的模式。与 Struts 无关。
  • /search/** 和 /profile/** 效果更好
  • 如果您找到答案,请自己回答,这将对他人有用。

标签: java struts2 spring-security


【解决方案1】:

事实上,intercept-url 模式是错误的。 例如对于搜索路径,语法应该是:

<intercept-url pattern="/search/**" access="hasRole('SEARCH')"/>

没有与 struts2 的链接(spring security 保护 url 并且不管后面是什么)。

【讨论】:

    猜你喜欢
    • 2015-12-11
    • 2014-07-29
    • 2020-06-04
    • 2022-12-11
    • 2014-02-21
    • 2016-09-01
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多