Apache 可以基于 Tomcat Web 应用程序的 Spring SecurityContext 限制访问吗?
我们有一个 tomcat web 应用程序,它提供使用 Spring Security 保护的 web 服务。客户端调用一个特定的authenticationService方法,我们编写该方法来对它们进行身份验证并创建一个authToken,然后使用它向Spring Security注册它们,如下所示:
SecurityContextHolder.getContext().setAuthentication( authToken )
这一切都很好。然而,我们还要求经过身份验证的用户能够访问由同一服务器上的 Apache (httpd) 提供的静态内容。有没有办法强制要求用户在下载静态内容之前已经通过身份验证(通过 Java/Spring)?看来 Apache 和 Tomcat 必须以某种方式共享 SecurityContext。
或者 - 或者,Tomcat 似乎可以自行提供静态内容,因为它已经可以访问 SecurityContext。如果这是最好的解决方案,任何人都可以提供一个指针,告诉我们如何让 tomcat 做到这一点(在检查用户已通过身份验证后提供静态内容)。
谢谢。
We have a tomcat webapp which provides webservices which are protected using Spring Security. The client makes a call to a specific authenticationService method which we wrote to authenticate them and create an authToken which is then used to register them with Spring Security as so:
SecurityContextHolder.getContext().setAuthentication( authToken )
That's all fine and good. However, we also have the requirement that authenticated users be able to access static content which is served by Apache (httpd) on the same server. Is there a way to enforce the requirement that the user has been authenticated (by Java/Spring) before they can download the static content? It seems like Apache and Tomcat would have to somehow share the SecurityContext.
OR - alternatively it seems like Tomcat could serve the static content itself since it already has access to the SecurityContext. If that is the best solution, could anyone provide a pointer to how we would get tomcat to do that (serve static content after checking that the user has been authenticated).
Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
是的,Tomcat 将必须提供静态内容。
mvc:资源 在这里可能会有所帮助。之后,使用标准拦截 url 配置来设置保护这些映射。
Yes, Tomcat is going to have to serve the static content.
mvc:resources can be helpful here. After that is set up protect those mappings using the standard intercept-url configuration.