Spring 安全和 Struts 2
我有一个带有 @Secured({"ROLE_ADMIN"}) 的 struts2 操作来保护执行方法。在执行方法中,我将一条消息分配给操作的成员变量,然后返回 SUCCESS 并最终出现在 jsp 页面上。在页面上,我使用
private String greeting;
public String execute() throws Exception {
this.greeting="Hello";
return SUCCESS;
}
// getters and setters for greeting
...
<s:property value="greeting" />
问题是,当存在安全注释时,jsp 不会显示成员变量的任何内容,但是当删除 @Secured 时,整个事情会正常运行并显示设置到成员变量中的消息。
看起来实际的安全性工作正常,但是当通过注释启用时,成员变量(或者可能是操作的实例)不会进入值堆栈。
我看不到任何错误消息。
I have a struts2 action with an @Secured({"ROLE_ADMIN"}) to secure the execute method. In the execute method I assign a message to a member variable of the action, then return SUCCESS and end up on the jsp page. On the page I retrieve the actions member variable with <sproperty>.
private String greeting;
public String execute() throws Exception {
this.greeting="Hello";
return SUCCESS;
}
// getters and setters for greeting
...
<s:property value="greeting" />
The problem is when the secured annotation is present the jsp shows nothing for the member variable but when @Secured is removed the whole thing behaves properly and shows the message that was set into the member variable.
It appears that the actual security is working ok but when enabled via the annotation the member variable (or maybe the instance of the action) is not making its way onto the value stack.
I cant see any error messages.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您必须确保在执行
SecurityContextHolder.getContext 中()。另外,如果您使用默认的“线程本地”策略来存储安全上下文,请确保授予的权限正确存储在每个请求线程中。例如,如果您在 http 会话中存储有关用户凭据的信息,则需要设置
HttpSessionContextIntegrationFilter。作为最后的手段,如果有可能,您可以在您正在使用的 Spring Security 拦截器中进行逐步调试会话,并检查问题所在。
You have to make sure that before the
<s:property value="greeting" />is executed, you have the "ROLE_ADMIN" present as a granted authority in theSecurityContextHolder.getContext().Also, if you use the default "thread local" strategy of storing the security context, make sure the granted authorities are properly stored in each request thread. For example, if you store information about the user credentials in the http session, you need a
HttpSessionContextIntegrationFilterset up.As a last resort, if you have the possibility, you can do a step by step debug session in the Spring Security Interceptor you are using and check out what the problem is.