SpringSecurity 多个命名空间和安全注释。大混乱
我正在制作一个 Spring MVC Web 应用程序,其中包含一些 RESTfull 资源作为 API。
我需要 RESTfull 部分具有一些自定义过滤器,因为我不需要任何重定向,并且我希望使用相应的 HTTP 错误代码和基本 JSON 描述来转换任何异常。
另一方面,网站的其余部分必须更常见,并在用户未登录时重定向用户等。
还有一件事,我希望在某些情况下使用 @Secured 注释和后验证。
如何正确定义多个 http 命名空间(在 Spring 3.1 上)?
这是我的错误配置:
<global-method-security secured-annotations="enabled" />
<http pattern="/rest/**" authentication-manager-ref="authenticationManager" entry-point-ref="restAuthenticationEntryPoint">
<form-login login-page="/rest/login" login-processing-url="/rest/postlogin"
authentication-success-handler-ref="restAuthenticationSuccessHandler"
authentication-failure-handler-ref="restAuthenticationFailureHandler"
username-parameter="username" password-parameter="password" />
<logout logout-url="/rest/logout" invalidate-session="true" />
</http>
<http pattern="/**" authentication-manager-ref="authenticationManager">
<form-login login-page="/login" login-processing-url="/postlogin"
username-parameter="username" password-parameter="password" />
<logout />
</http>
有趣的是,此配置部分有效,因为我可以使用 /rest/login 登录,并且得到来自我的自定义成功处理程序的响应。我还可以从 /login 登录,并获得正确的重定向到 /。注销也工作得很好。
接下来,所有控制器 bean 在安全方法中都具有 @Secured("ROLE_USER")。但并非所有受保护的方法都受到保护。为什么会这样呢?
@Secured({"ROLE_USER"})
@RequestMapping(method = RequestMethod.GET, headers = { "Range" })
public @ResponseBody
HttpEntity<List<T>> list(@RequestHeader("Range") String range) {
我到处阅读文档,但我比以往任何时候都更加困惑。
- 为什么我的方法不安全?
- http 命名空间必须定义访问权限才能使 @Secured 注释起作用吗?
- http 命名空间是否会覆盖我的 @Secured 注释?如果是这样,我如何使用自定义过滤器定义多个“登录页面”并能够使用注释?
以下是一些事实: * 我正在使用 Spring 和 SpringSecurity 3.1 * 我有一个自定义的 AuthenticationManager 来从 hibernate daos 检索用户详细信息。 * 一些控制器正在扩展 @Secured 注释所在的抽象类。但对于简单的控制器来说它仍然不起作用。 * 我的控制器是通过上下文:组件扫描和基础包发现的。 * 安全性在一个 http 命名空间下工作得很好。
请帮忙,我对此很生气!
I'm making a Spring MVC web-app with some RESTfull resources as an API.
I need the RESTfull part to have some custom filters as I do not want any redirection and I want any exception to be translated with the corresponding HTTP error code and a basic JSON description.
On the other hand, the rest of the website have to be more common and redirect people when they are not logged in etc.
One more thing, I wish to use the @Secured annotations and a post-authentication in some case.
How do I define the multiple http namespaces correctly (on Spring 3.1)?
Here is my erroneous configuration:
<global-method-security secured-annotations="enabled" />
<http pattern="/rest/**" authentication-manager-ref="authenticationManager" entry-point-ref="restAuthenticationEntryPoint">
<form-login login-page="/rest/login" login-processing-url="/rest/postlogin"
authentication-success-handler-ref="restAuthenticationSuccessHandler"
authentication-failure-handler-ref="restAuthenticationFailureHandler"
username-parameter="username" password-parameter="password" />
<logout logout-url="/rest/logout" invalidate-session="true" />
</http>
<http pattern="/**" authentication-manager-ref="authenticationManager">
<form-login login-page="/login" login-processing-url="/postlogin"
username-parameter="username" password-parameter="password" />
<logout />
</http>
The funny part is that this configuration works partially as I can login with /rest/login and I get the response from my custom success handler. I can also login from /login and I get the proper redirection to /. The logout are working both fine too.
Next, all the controllers beans have @Secured("ROLE_USER") in the secured methods. But all the secured methods don't ever get secured. Why is that so?
@Secured({"ROLE_USER"})
@RequestMapping(method = RequestMethod.GET, headers = { "Range" })
public @ResponseBody
HttpEntity<List<T>> list(@RequestHeader("Range") String range) {
I've read documentations everywhere and I'm more confused than ever.
- Why are my methods not being secured?
- Must the http namespace define an access so that the @Secured annotations work?
- Are the http namespace overwriting my @Secured annotations? If it's so, how can I define multiple "login pages" with custom filters and being able to use annotations?
Here are some facts:
* I'm using Spring and SpringSecurity 3.1
* I have a custom AuthenticationManager to retrieve user details from hibernate daos.
* Some controllers are extending an abstract class where the @Secured annotations lies. But it still doesn't work for a simple controller.
* My controllers are discovered with a context:component-scan and a base-package.
* The security works fine with one http namespace.
please help, i'm getting mad with this!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
查看此答案,了解如何确保 Web 上下文对
global-method-security可见声明并可能使用类代理。要回答您的其他问题,
http命名空间不应影响@Secured注释的使用,除了用户由应用程序的 Web 部分进行身份验证并且该信息将由方法安全拦截器在做出访问决策时使用。除非您覆盖它(使用 access-decision-manager-ref ),否则方法安全性将使用标准的 AccessDecisionManager ,它根据用户拥有的角色授予或拒绝访问权限。Check out this answer about making sure the web context is visible to the
global-method-securitydeclaration and possibly using class proxying.To answer your other questions, no the
httpnamespace shouldn't affect the use of@Securedannotations, other than that the user is authenticated by the web part of the application and that information will be used by the method security interceptor when making an access decision. Unless you override it (usingaccess-decision-manager-ref), method security will use a standardAccessDecisionManagerwhich grants or denies access based on the roles a user has.