Spring security - taglib和jsp中的SecurityContext.authentication null,但在控制器中正常
我已经在这个问题上苦苦挣扎了一段时间了。找到了几篇关于它的帖子,但没有一个解决了我的问题。这可能与 SecurityContext 绑定到特定线程这一事实有关,但即便如此,我也不知道如何解决它:
考虑使用以下代码来检索已登录的用户:
SecurityContextHolder.getContext().getAuthentication().getPrincipal()
在控制器中运行此代码将返回(正确)登录的用户。 从 taglib 或 jsp 运行此代码会抛出 NPE(身份验证 = null)。 此外,弹簧标签 不起作用(大概出于同样的原因)。
从 web.xml 中提取:
<filter>
<filter-name>AcegiFilter</filter-name>
<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>org.acegisecurity.util.FilterChainProxy</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>AcegiFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
从 spring security 配置文件中提取:
<bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=httpSessionIntegrationFilter,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor
</value>
</property>
</bean>
<bean id="filterSecurityInterceptor"
class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager" />
<property name="accessDecisionManager" ref="accessDecisionManager" />
<property name="alwaysReauthenticate" value="true" />
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/myaccount.htm=ROLE_CUSTOMER
</value>
</property>
</bean>
I've been struggling with this issue for a little while now. Found several posts about it but none solved my problem. It will probably have something to do with the fact that a SecurityContext is boud to a specific Thread but even then I do not know how to solve it:
Consider following code to retrieve the user that was logged in:
SecurityContextHolder.getContext().getAuthentication().getPrincipal()
Running this code in a controller would return (correctly) the user logged in.
Running this code from a taglib or jsp throws NPE (authentication = null).
Also the spring tag does not function (presumably for the same reason).
Extract from web.xml:
<filter>
<filter-name>AcegiFilter</filter-name>
<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>org.acegisecurity.util.FilterChainProxy</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>AcegiFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Extract from spring security config file:
<bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=httpSessionIntegrationFilter,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor
</value>
</property>
</bean>
<bean id="filterSecurityInterceptor"
class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager" />
<property name="accessDecisionManager" ref="accessDecisionManager" />
<property name="alwaysReauthenticate" value="true" />
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/myaccount.htm=ROLE_CUSTOMER
</value>
</property>
</bean>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
已解决
由过滤器序列引起的问题。 PageFilter (sitemesh) 在 spring 安全过滤器之前被调用,因此安全上下文在 jsp 中尚不可用。更改 web.xml 中过滤器的顺序(安全过滤器优先)解决了该问题。
RESOLVED
the problem arose from the filter sequence. The PageFilter (sitemesh) was invoked before the spring security filter and because of this the security context was not yet available in the jsp. Changing the order of the filters in web.xml (security filter first) fixed the issue.
这似乎是一个显而易见的问题,但是您是否强制用户在访问页面 /myaccount.htm 之前的任何时候登录(即进行身份验证)?我在对象定义源中没有看到任何到需要匿名访问的登录页面的映射,这就是我问的原因。如果用户无需身份验证即可访问 /myaccount.htm,那么当他们访问该页面时,安全上下文中不会创建任何主体,因此会出现 NullPointerException。另外,您是否使用基于表单的身份验证? HTTP 基本身份验证 ? Acegi 支持其他类型吗?
This may seem like an obvious question, but have you forced the user to log in (ie authenticate) at any point prior to them accessing the page /myaccount.htm ? I didn't see any mappings to a login page requiring anonymous access in your object definition source which is why I ask. If the user can access /myaccount.htm without authenticating, then no principal would have been created in the security context by the time they've accessed the page, hence your NullPointerException. Also, are you using form based authentication ? HTTP BASIC authentication ? Some other type supported by Acegi ?