【发布时间】:2016-01-07 21:32:50
【问题描述】:
我正在尝试使用 java 配置将 spring security 放入我的 spring mvc 项目中,但是,我仍然可以访问所有页面而无需任何 spring security 拦截。有人可以帮忙吗?谢谢你。 (我使用的是 weblogic 12c)
pom.xml 的一部分
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.0.1</version>
</dependency>
<dependency>
<groupId>javax.servlet.jsp</groupId>
<artifactId>jsp-api</artifactId>
<version>2.1</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<version>1.2</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.0.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.0.3.RELEASE</version>
</dependency>
WebAppInitializer.java
package com.home.config;
public class WebAppInitializer implements WebApplicationInitializer {
@Override
public void onStartup(ServletContext container) throws ServletException {
AnnotationConfigWebApplicationContext rootCtx = new AnnotationConfigWebApplicationContext();
rootCtx.register(HomeConfig.class);
container.addListener(new ContextLoaderListener(rootCtx));
container.setInitParameter("defaultHtmlEscape", "true");
AnnotationConfigWebApplicationContext webCtx = new AnnotationConfigWebApplicationContext();
webCtx.register(WebConfig.class);
ServletRegistration.Dynamic servlet = container.addServlet(
"spring-dispatcher", new DispatcherServlet(webCtx));
servlet.setLoadOnStartup(1);
servlet.addMapping("/");
}
}
WebConfig.java
package com.home.config;
@Configuration
@EnableWebMvc
@ComponentScan(basePackages = { "com.home.controllers", "com.home.websecurity" })
public class WebConfig extends WebMvcConfigurerAdapter {
@Bean
public ViewResolver viewResolver() {
InternalResourceViewResolver resolver = new InternalResourceViewResolver();
resolver.setPrefix("/WEB-INF/views/");
resolver.setSuffix(".jsp");
resolver.setExposeContextBeansAsAttributes(true);
return resolver;
}
// Configure static content handling
@Override
public void configureDefaultServletHandling(
DefaultServletHandlerConfigurer configurer) {
configurer.enable();
}
}
SecurityConfig.java
package com.home.websecurity;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
throws Exception {
auth.inMemoryAuthentication().withUser("user").password("abc123")
.roles("USER");
auth.inMemoryAuthentication().withUser("admin").password("root123")
.roles("ADMIN");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated().and().formLogin()
.and().httpBasic();
}
}
SecurityWebInitializer.java
package com.home.websecurity;
public class SecurityWebInitializer extends
AbstractSecurityWebApplicationInitializer {
}
【问题讨论】:
-
我在 Tomcat 7 上测试了代码,它运行良好!所以我想这是我还没有完全掌握的 weblogic 12c 的设置。我可能会花更多时间在这方面,同时,如果有人能给我一些线索,我将不胜感激。 :)
-
为什么要调用两次AnnotationConfigWebApplicationContext?尝试只调用一次并在那里扫描安全包(类似于 contextLocation 我不记得了)。我认为您不需要 SecurityWebInitalizer 类
标签: java spring-mvc spring-security weblogic