Spring security 结合Spring安全授权承载器和CXF

我正在使用SpringSecurity+SpringCore并结合CXF实现我的restful

以下是配置：

用于CXF配置的web.xml：

<!-- Spring configuration for ContextLoaderListener -->
<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<!-- CXF configuration for resful webservices -->
<servlet>
    <servlet-name>CXFServlet</servlet-name>
    <servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>CXFServlet</servlet-name>
    <url-pattern>/services/*</url-pattern>
</servlet-mapping>

spring安全配置-安全配置

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

private static final RequestMatcher PROTECTED_URLS = new OrRequestMatcher(
        new AntPathRequestMatcher("/services/**"));

AuthenticationProvider provider;

public SecurityConfiguration(final AuthenticationProvider authenticationProvider) {
    super();
    this.provider = authenticationProvider;
}

@Override
protected void configure(final AuthenticationManagerBuilder auth) {
    auth.authenticationProvider(provider);
}

/**
 * we don't need provide this service for now because we are using Vaadin
 */
@Override
public void configure(final WebSecurity webSecurity) {
    webSecurity.ignoring().antMatchers("/token/**");
}

@Override
public void configure(HttpSecurity http) throws Exception {
     http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().exceptionHandling().and()
            .authenticationProvider(provider)
            .addFilterBefore(authenticationFilter(), AnonymousAuthenticationFilter.class).authorizeRequests()
            .requestMatchers(PROTECTED_URLS).authenticated().and().csrf().disable().formLogin().disable()
            .httpBasic().disable().logout().disable();
}

@Bean
AuthenticationFilter authenticationFilter() throws Exception {
    final AuthenticationFilter filter = new AuthenticationFilter(PROTECTED_URLS);
    filter.setAuthenticationManager(authenticationManager());
    // filter.setAuthenticationSuccessHandler(successHandler());
    return filter;
}

@Bean
AuthenticationEntryPoint forbiddenEntryPoint() {
    return new HttpStatusEntryPoint(HttpStatus.FORBIDDEN);
}
}

芬德比特肯

 @Override
 public Optional<User> findByToken(String token) {
     UserToken userToken = userTokenDAO.findByToken(token);
     if (userToken != null) {

     User user = new User(userToken.getUserId(), userToken.getUserPassword(), true, true, true, true,
             AuthorityUtils.createAuthorityList("USER"));

     return Optional.of(user);
 }
 return Optional.empty();
 }

没有例外或错误。上述请求返回200（OK）。我预计会失败，因为请求中没有承载令牌

我们如何结合Spring安全性（使用承载令牌方法）和CXF

根据评论中的讨论，很明显spring security筛选器链没有配置

您是否可以将以下内容也添加到web.xml中，并查看执行是否命中了

AntPathRequestMatcher

matches

方法

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

springSecurityFilterChain
org.springframework.web.filter.DelegatingFilterProxy
springSecurityFilterChain
/*

是，尝试添加：

新AntPathRequestMatcher（“/my app/services/**”）

但仍返回200-OK。执行从未命中

字符串url=getRequestPath（请求）AntPathRequestMatcher

。我担心所有带有/services/**的请求将由CXF控制。Spring security无法拦截此URL模式是的，我们需要将模式委托给Spring security。成功了。谢谢

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

private static final RequestMatcher PROTECTED_URLS = new OrRequestMatcher(
        new AntPathRequestMatcher("/services/**"));

AuthenticationProvider provider;

public SecurityConfiguration(final AuthenticationProvider authenticationProvider) {
    super();
    this.provider = authenticationProvider;
}

@Override
protected void configure(final AuthenticationManagerBuilder auth) {
    auth.authenticationProvider(provider);
}

/**
 * we don't need provide this service for now because we are using Vaadin
 */
@Override
public void configure(final WebSecurity webSecurity) {
    webSecurity.ignoring().antMatchers("/token/**");
}

@Override
public void configure(HttpSecurity http) throws Exception {
     http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().exceptionHandling().and()
            .authenticationProvider(provider)
            .addFilterBefore(authenticationFilter(), AnonymousAuthenticationFilter.class).authorizeRequests()
            .requestMatchers(PROTECTED_URLS).authenticated().and().csrf().disable().formLogin().disable()
            .httpBasic().disable().logout().disable();
}

@Bean
AuthenticationFilter authenticationFilter() throws Exception {
    final AuthenticationFilter filter = new AuthenticationFilter(PROTECTED_URLS);
    filter.setAuthenticationManager(authenticationManager());
    // filter.setAuthenticationSuccessHandler(successHandler());
    return filter;
}

@Bean
AuthenticationEntryPoint forbiddenEntryPoint() {
    return new HttpStatusEntryPoint(HttpStatus.FORBIDDEN);
}
}

 @Override
 public Optional<User> findByToken(String token) {
     UserToken userToken = userTokenDAO.findByToken(token);
     if (userToken != null) {

     User user = new User(userToken.getUserId(), userToken.getUserPassword(), true, true, true, true,
             AuthorityUtils.createAuthorityList("USER"));

     return Optional.of(user);
 }
 return Optional.empty();
 }

curl -X POST "http://localhost:8080/my-app/services/Application/ControllerImpl/myservice1" -H "accept: application/json" -H "Content-Type: application/json" -d "string"

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>