Java Tomcat 8未使用Spring/GWT webapp安全配置

我继承了一个只支持GWT的webapp。（好吧，不是真正的“仅GWT”，因为有一些REST控制器用于数据下载等…）

我想在plain spring mvc中开发新的视图，但我需要同时保留GWT应用程序和新的非GWT视图

我不是一个真正的应用服务器/servlet容器配置专家，我正在努力让它正常工作

现在我有一个主要问题：
当我在Tomcat8.0中运行war时，WebSecurityConfigureAdapter中设置的规则不会被读取，因此访问jsp不需要身份验证

当我在Eclipse（Neon Release（4.6.0））中运行GWT（GWT2.7.0）运行配置的嵌入式Jetty时，会使用此安全配置

GWT部分可通过以下方式访问：

/index.html

“web”部分是：

/web/**

REST服务（实际上也不安全）：

/download/**

，

/file/**

build.gradle：

apply plugin: 'gwt'
apply plugin: 'jetty'
apply plugin: 'war'
apply plugin: 'project-report'

sourceCompatibility = 1.8
targetCompatibility = 1.8

compileJava.options.encoding = 'UTF-8'

configurations.all {
    // check for updates every build
    resolutionStrategy.cacheChangingModulesFor 0, 'seconds'
}

buildscript {
    repositories {
        jcenter()
    }
    dependencies {
        classpath 'de.richsource.gradle.plugins:gwt-gradle-plugin:0.6'
    }
}

repositories {
    mavenCentral()
    maven { 
        url 'https://oss.sonatype.org/content/repositories/snapshots/'
    }
}

dependencies {
    compile project(':myapp_common')
    compile project(':myapp_core')

    compile 'org.apache.commons:commons-exec:1.3'

    // PWT framework
    compile 'fr.putnami.pwt:pwt:1.2.0-SNAPSHOT'
    compile 'fr.putnami.pwt:pwt-google-analytics:1.2.0-SNAPSHOT'
    compile 'fr.putnami.pwt:pwt-spring:1.2.0-SNAPSHOT'


    compile 'org.aspectj:aspectjweaver:1.8.9'
    compile 'org.springframework.security:spring-security-core:3.2.9.RELEASE'
    compile 'org.springframework.security:spring-security-config:3.2.9.RELEASE'
    compile 'org.springframework.security:spring-security-web:3.2.9.RELEASE'

    compile 'commons-io:commons-io:2.4'
    compile 'org.apache.commons:commons-compress:1.9'

    compile 'org.apache.poi:poi:3.14'
    compile 'org.apache.poi:poi-ooxml:3.14'
    testCompile 'junit:junit:4.11'
    testCompile 'org.mockito:mockito-all:1.10.8'
    testCompile 'org.springframework:spring-test:4.1.1.RELEASE'

    compile 'javax.servlet:jstl:1.2'

    compile ('com.googlecode.gflot:gflot:3.3.0') {
        exclude  module: 'gwt-user' 
    }

    // We do not want these in the .war
    providedCompile 'com.google.gwt:gwt-dev:2.7.0'
    providedCompile 'com.google.gwt:gwt-user:2.7.0'
}

gwt {
    gwtVersion = '2.7.0'

    minHeapSize = "512M";
    maxHeapSize = "2G";

    // Modules used in production
    modules = ['com.mycompany.myapp.myapp']
    // Modules used in dev mode and super dev mode.
    devModules = ['com.mycompany.myapp.myappDev']

    compiler {
        strict = false;
    }

    superDev {
        noPrecompile=true
    }
}

task jettyDraftWar(type: JettyRunWar) {
    dependsOn draftWar
    webApp=draftWar.archivePath
}

[jettyDraftWar, jettyStop]*.stopPort = 8081
[jettyDraftWar, jettyStop]*.stopKey = 'stop'

war.dependsOn compileGwt
war {
    baseName = "myapp_web"
    if (project.hasProperty('environment')) {
        FileTree tree = fileTree(dir: "src").include("**/*.$environment")
        tree.each { File file ->
            String origName = file.name.substring(0, file.name.length() - ".$environment".length())
            File orig = new File(file.getParent(), origName)
            war.rootSpec.exclude "**/" + origName
            war.rootSpec.rename (file.name, origName)
        }

        version = environment
    }
}

eclipse.classpath.file{
    whenMerged{ classpath ->
          def projectRefs = classpath.entries.findAll{entry -> entry.kind =='con' && entry.path.equals('com.google.gwt.eclipse.core.GWT_CONTAINER')}
          //move the project references to the end of the list:
          classpath.entries.removeAll(projectRefs)
          classpath.entries.addAll(projectRefs)
    }
}

web.xml：

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee/web-app_3_0.xsd"
    version="3.0">

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <filter>
        <filter-name>delegatingChainFilter</filter-name>
        <filter-class>fr.putnami.pwt.plugin.spring.web.filter.DelegatingChainFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>delegatingChainFilter</filter-name>
        <url-pattern>*</url-pattern>
    </filter-mapping>

    <!-- Configure ContextLoaderListener to use AnnotationConfigWebApplicationContext 
        instead of the default XmlWebApplicationContext -->
    <context-param>
        <param-name>contextClass</param-name>
        <param-value>
          org.springframework.web.context.support.AnnotationConfigWebApplicationContext
      </param-value>
    </context-param>

    <!-- Configuration locations must consist of one or more comma- or space-delimited 
        fully-qualified @Configuration classes. Fully-qualified packages may also 
        be specified for component-scanning -->
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>com.mycompany.myapp.server.config</param-value>
    </context-param>

    <!-- Spring configuration -->
    <servlet>
        <servlet-name>dispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>classpath:/dispatcher-servlet.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>dispatcher</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

    <!-- Spring configuration -->
    <servlet>
        <servlet-name>mvc</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>classpath:/mvc.xml</param-value>
        </init-param>
        <load-on-startup>0</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>mvc</servlet-name>
        <url-pattern>/web/*</url-pattern>
    </servlet-mapping>

    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
    </welcome-file-list>

</web-app>

SecurityConfig.java：

@Configuration
@EnableTransactionManagement
@Import({ ComandServiceConfig.class, SecurityConfig.class })
@EnableWebMvc
@EnableScheduling
@ComponentScan(basePackages = { "com.mycompany.myapp.server.config", "com.mycompany.myapp.server.aop",
        "com.mycompany.myapp.batch", "com.mycompany.myapp.server.mail", "com.mycompany.myapp.server.util",
        "com.mycompany.myapp.server.service", "com.mycompany.myapp.server.repository", "com.mycompany.myapp.core.service" })
@PropertySource("classpath:application.properties")
@ImportResource("classpath:myapp_web-applicationContext.xml")
public class MvcConfig extends WebMvcConfigurerAdapter {
[...]
}

package com.mycompany.myapp.server.config;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    private final Logger logger = LoggerFactory.getLogger(SecurityConfig.class);

    @Autowired
    private UserDetailsService customUserDetailsService;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
                auth.userDetailsService(customUserDetailsService).passwordEncoder(new BCryptPasswordEncoder());
    }

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.authorizeRequests().antMatchers("/web/**", "/download/**", "/file/**").authenticated().anyRequest().permitAll().and().formLogin().loginPage("/index.html").permitAll();
        httpSecurity.csrf().disable();

        httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);
    }

    @Bean(name = "authenticationManager")
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }
}

myapp_web-applicationContext.xml：

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:jpa="http://www.springframework.org/schema/data/jpa" xmlns:mvc="http://www.springframework.org/schema/mvc"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
    xmlns:aop="http://www.springframework.org/schema/aop" xmlns:task="http://www.springframework.org/schema/task"
    xsi:schemaLocation="
            http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
            http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
            http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
            http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
            http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
            http://www.springframework.org/schema/data/jpa  http://www.springframework.org/schema/data/jpa/spring-jpa.xsd
            http://www.springframework.org/schema/task http://www.springframework.org/schema/task/spring-task.xsd
        ">

    <context:property-placeholder location="classpath:application.properties" ignore-unresolvable="true" local-override="false" />

    <aop:config proxy-target-class="true" />

    <bean name="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />

    <!-- Upload management -->
    <bean name="multipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver" />

    <bean class="com.mycompany.myapp.server.config.EncodingPostProcessor" />

    <!-- Configures Spring Data JPA and sets the base package of my DAOs. -->
    <jpa:repositories base-package="com.mycompany.myapp.server.repository" />
</beans>