当前位置: 首页 > 知识库问答 >
问题:

Spring Security性-我可以同时使用名称空间和过滤器链吗?

仲浩歌
2023-03-14
<sec:global-method-security secured-annotations="enabled" />

<sec:http pattern="/app/login.jsp*" security="none" />
<sec:http pattern="/admin/login.jsp*" security="none" />
<sec:http pattern="/app/*.png" security="none" />
<sec:http pattern="/admin/*.png" security="none" />
<sec:http pattern="/app/**" authentication-manager-ref="authenticationManager"
    access-decision-manager-ref="accessDecisionManager">
    <sec:intercept-url pattern="/app/**" access="ROLE_USER" />
    <sec:access-denied-handler error-page="/app/login.jsp?aer=" />
    <sec:form-login login-processing-url="/app/j_spring_security_check"
        always-use-default-target="true" default-target-url="/app/index.html"
        login-page='/app/login.jsp' authentication-failure-url='/app/login.jsp?login_error' />
    <sec:logout logout-url="/app/j_spring_security_logout"
        invalidate-session="true" logout-success-url="/app/login.jsp" />
</sec:http>
<sec:http pattern="/admin/**" authentication-manager-ref="authenticationManager"
    access-decision-manager-ref="accessDecisionManager">
    <sec:intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
    <sec:access-denied-handler error-page="/admin/login.jsp?aer=" />
    <sec:form-login login-processing-url="/admin/j_spring_security_check"
        always-use-default-target="true" default-target-url="/admin/index.html"
        login-page='/admin/login.jsp' authentication-failure-url='/admin/login.jsp?login_error' />
    <sec:logout logout-url="/admin/j_spring_security_logout"
        invalidate-session="true" logout-success-url="/admin/login.jsp" />
</sec:http>
<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
    <security:filter-chain-map path-type="ant">

    <sec:filter-chain pattern="/css/**" filters="none" />
    <sec:filter-chain pattern="/common/**" filters="none" />
    <sec:filter-chain pattern="/images/**" filters="none" />
    <sec:filter-chain pattern="/login.jsp*" filters="none" />
    <sec:filter-chain pattern="/rest/**"
        filters="
        ConcurrentSessionFilter,
        securityContextPersistenceFilter,
        logoutFilter,
        authenticationProcessingFilter,
        sessionManagementFilter,
        exceptionTranslationFilter,
        filterSecurityInterceptor" />

    </security:filter-chain-map> 
</bean>


问题是,筛选器链不控制任何东西。我确信,当不使用名称空间时,过滤器链工作良好。但当我添加命名空间时,问题就开始了。
为什么?我不能用那个吗?或者我可以并且必须更改某些内容?

更新:
调用此资源时这是我的调试日志:/rest/asrv/>Tallmmbrsofusrgrp

DEBUG AntPathRequestMatcher           - Checking match of request : '/rest/asrv/gtallmmbrsofusrgrp'; against '/app/login.jsp*'
DEBUG AntPathRequestMatcher           - Checking match of request : '/rest/asrv/gtallmmbrsofusrgrp'; against '/admin/login.jsp*'
DEBUG AntPathRequestMatcher           - Checking match of request : '/rest/asrv/gtallmmbrsofusrgrp'; against '/app/*.png'
DEBUG AntPathRequestMatcher           - Checking match of request : '/rest/asrv/gtallmmbrsofusrgrp'; against '/admin/*.png'
DEBUG AntPathRequestMatcher           - Checking match of request : '/rest/asrv/gtallmmbrsofusrgrp'; against '/app/**'
DEBUG AntPathRequestMatcher           - Checking match of request : '/rest/asrv/gtallmmbrsofusrgrp'; against '/admin/**'
DEBUG FilterChainProxy                - /rest/asrv/gtallmmbrsofusrgrp has no matching filters

共有1个答案

史昱
2023-03-14

我认为您在web.xml中缺少了DelegatingFilterProxy条目。但不管怎样,

从Spring3.1开始,使用SecurityFilterChain实例列表配置FilterChainProxy,不推荐使用FilterChainMap。因此请尝试通过以下方式配置它:

<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
    <constructor-arg>
        <list>
            <sec:filter-chain pattern="/css/**" filters="none" />
            <sec:filter-chain pattern="/common/**" filters="none" />
            <sec:filter-chain pattern="/images/**" filters="none" />
            <sec:filter-chain pattern="/login.jsp*" filters="none" />
            <sec:filter-chain pattern="/rest/**"
                filters="
                ConcurrentSessionFilter,
                securityContextPersistenceFilter,
                logoutFilter,
                authenticationProcessingFilter,
                sessionManagementFilter,
                exceptionTranslationFilter,
                filterSecurityInterceptor" />
        </list>
    </constructor-arg>
</bean>

并将筛选器添加到web.xml中,如下所示:

<filter>
    <filter-name>filterChainProxy</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>filterChainProxy</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
log4j.rootCategory=INFO, stdout
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d{ISO8601} %-5p %c %M - %m\n

log4j.category.org.springframework.security=DEBUG

另请参见使用Log4j进行日志记录

更新2:它似乎对我起作用,我已经在rest目录中放置了一个测试页面welcome.xhtml。调试日志如下:

2012-07-30 00:26:05,917 DEBUG org.springframework.security.web.util.AntPathRequestMatcher matches - Checking match of request : '/rest/welcome.xhtml'; against '/javax.faces.resource/**'
2012-07-30 00:26:05,923 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2012-07-30 00:26:05,923 DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository readSecurityContextFromSession - No HttpSession currently exists
2012-07-30 00:26:05,923 DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository loadContext - No SecurityContext was available from the HttpSession: null. A new one will be created.
2012-07-30 00:26:05,925 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 2 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2012-07-30 00:26:05,925 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 3 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2012-07-30 00:26:05,925 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 4 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2012-07-30 00:26:05,925 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 5 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2012-07-30 00:26:05,925 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 6 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2012-07-30 00:26:05,926 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 7 of 11 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
2012-07-30 00:26:05,926 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2012-07-30 00:26:05,928 DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter doFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2012-07-30 00:26:05,928 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2012-07-30 00:26:05,929 DEBUG org.springframework.security.web.session.SessionManagementFilter doFilter - Requested session IDD44EAA53A767F3DC9C7338D3CD335198 is invalid.
2012-07-30 00:26:05,929 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2012-07-30 00:26:05,929 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2012-07-30 00:26:05,929 DEBUG org.springframework.security.web.util.AntPathRequestMatcher matches - Checking match of request : '/rest/welcome.xhtml'; against '/login.xhtml'
2012-07-30 00:26:05,929 DEBUG org.springframework.security.web.util.AntPathRequestMatcher matches - Checking match of request : '/rest/welcome.xhtml'; against '/*'
2012-07-30 00:26:05,929 DEBUG org.springframework.security.web.util.AntPathRequestMatcher matches - Checking match of request : '/rest/welcome.xhtml'; against '/admin/**'
2012-07-30 00:26:05,930 DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor beforeInvocation - Public object - authentication not attempted
2012-07-30 00:26:05,932 DEBUG org.springframework.security.web.FilterChainProxy doFilter - /rest/welcome.xhtml reached end of additional filter chain; proceeding with original chain
2012-07-30 00:26:06,229 DEBUG org.springframework.security.web.access.ExceptionTranslationFilter doFilter - Chain processed normally

我认为是您拥有的两个表单登录导致了问题。尝试只有一个登录表单,并根据角色控制之后的导航。例如:我可以使用一个登录页面重定向不同的页面使用Spring3.0安全性吗?

 类似资料:
  • 问题内容: 我在命名空间和语句上遇到了一些麻烦。 我有三个文件:,和。 我正在尝试使用相对路径进行此操作,因此已将其放在所有类中: 在我的圈子课程中,我有以下内容: 如果使用这些语句,我不会出错。如果我尝试以下语句,则会得到: 致命错误:在第8行的/Users/shawn/Documents/work/sites/workspace/shape/Circle.php中找不到类’Shape \ Sh

  • 问题内容: 我正在用lxml生成一些XML,并像这样生成节点: 和: 这些自定义属性正在杀死Quickbooks的解析器。我可以不使用自定义内容来渲染LXML吗? 问题答案: 看起来像下面这样照顾它: 或者,如果使用lxml> = 2.3.2(感谢@Pedru):

  • 问题内容: 我想计算mysql表中的行数,而不要包含重复的条目, 我可以用吗? 问题答案: 当然。

  • 我想在一个项目中使用两种方法(反应式和标准式)。 我尝试将一个REST APIendpoint迁移到反应式webflux,并在迁移其余endpoint之前测试性能。但没用。我为他添加了路由器和处理程序,但直到我没有从依赖项中删除,并禁用之前,我一直得到http代码。有没有可能?还是我应该将所有项目迁移到反应式方法?

  • 问题内容: PHP名称空间可以包含变量吗?如果是这样,如何实现? 问题答案: 不可以。您可以在声明名称空间后设置变量,但是变量将始终存在于全局范围内。它们永远不会绑定到名称空间。您可以从中没有任何名称解析描述来推断出这一点 常见问题解答:您需要了解的有关名称空间的知识(PHP 5> = 5.3.0) 也将不允许使用语法在命名空间中定位变量。

  • 我得到了(超过)两个Api POSTendpoint。每一个都需要一个json作为参数。但是当我在两个endpoint参数类中使用相同的类名负载时,Swagger就不起作用了。当我改变其中的一个,例如从有效载荷到有效载荷1时,它就不起作用了。当然,我在包装类中设置了正确的名称空间,以便它找到负载。但我希望每次都使用相同的名称“有效载荷”。如何使用相同的类名负载?在这两种情况下,我都可以保留json