Spring MVC REST+;Spring Security+;基本身份验证
环境:Spring MVC REST+;Spring Security+;基本身份验证,spring,rest,spring-mvc,spring-security,Spring,Rest,Spring Mvc,Spring Security,环境: <?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans" xsi:sc
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd">
<http use-expressions="true" create-session="stateless">
<http-basic/>
<csrf disabled="true"/>
</http>
<global-method-security secured-annotations="enabled"/>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="XYZ" password="12345" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
春季4.1
SpringSecurity 4.0
问题:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd">
<http use-expressions="true" create-session="stateless">
<http-basic/>
<csrf disabled="true"/>
</http>
<global-method-security secured-annotations="enabled"/>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="XYZ" password="12345" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
我正在使用Spring4.1开发一个简单的REST服务。以及使用Spring安全性进行身份验证。
我正在使用HTTP基本身份验证
问题是,即使在所有配置都正确之后,基本身份验证也无法工作。
我正在使用邮递员向服务器发送请求。
REST客户端可以在没有授权头的情况下调用REST控制器方法。
该方法在没有任何身份验证错误的情况下成功执行
因为我使用的是Tomcat6,所以我没有使用Servlet3.0特性,所以web.xml确实存在。
在REST控制器层上使用@Secured
注释实现了方法级安全性
谁能帮我弄清楚我哪里出了问题吗
代码:
web.xml:
<web-app>
<display-name>Archetype Created Web Application</display-name>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/mvc-dispatcher-servlet-security.xml</param-value>
</context-param>
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/mvc-dispatcher-servlet.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
</web-app>
Web应用程序创建的原型
org.springframework.web.context.ContextLoaderListener
org.springframework.web.context.request.RequestContextListener
上下文配置位置
/WEB-INF/mvc-dispatcher-servlet-security.xml
mvc调度器
org.springframework.web.servlet.DispatcherServlet
上下文配置位置
/WEB-INF/mvc-dispatcher-servlet.xml
1.
mvc调度器
/
springSecurityFilterChain
org.springframework.web.filter.DelegatingFilterProxy
springSecurityFilterChain
/*
向前地
要求
mvc-servlet-dispatcher-security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd">
<http use-expressions="true" create-session="stateless">
<http-basic/>
<csrf disabled="true"/>
</http>
<global-method-security secured-annotations="enabled"/>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="XYZ" password="12345" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
mvc-dispatcher-servlet.xml:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
<!-- Specifying base package of the Components like Controller, Service, DAO -->
<context:component-scan base-package="org.ngo" />
<!-- Getting Database properties -->
<context:property-placeholder location="classpath:application.properties"/>
<mvc:annotation-driven/>
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="${jdbc.driverClassName}" />
<property name="url" value="${jdbc.url}" />
<property name="username" value="${jdbc.username}" />
<property name="password" value="${jdbc.password}" />
</bean>
<bean id="sessionFactory"
class="org.springframework.orm.hibernate4.LocalSessionFactoryBean">
<property name="dataSource">
<ref bean="dataSource" />
</property>
<property name="hibernateProperties">
<props>
<prop key="hibernate.dialect">org.hibernate.dialect.MySQLDialect</prop>
<prop key="hibernate.show_sql">true</prop>
</props>
</property>
<property name="packagesToScan" value="org.ngo.abhishek.entity"></property>
</bean>
<!-- Transaction -->
<bean id="transactionManager"
class="org.springframework.orm.hibernate4.HibernateTransactionManager">
<property name="sessionFactory" ref="sessionFactory" />
</bean>
<tx:annotation-driven transaction-manager="transactionManager" />
</beans>
@RestController
@RequestMapping("/abhishek")
public class AbhishekController {
@Autowired
private AbhisheskService abhishekService;
@RequestMapping(method=RequestMethod.POST,consumes="application/json")
@Secured("ROLE_USER")
public ResponseEntity<Boolean> getUserById(@RequestBody List<AbhishekDTO> abhishekDtoList) {
boolean flag = this.abhishekService.createAbhishek(abhishekDtoList);
return new ResponseEntity<Boolean>(flag, HttpStatus.OK);
}
}
org.hibernate.dialogue.mysqldialogue
真的
REST控制器:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
<!-- Specifying base package of the Components like Controller, Service, DAO -->
<context:component-scan base-package="org.ngo" />
<!-- Getting Database properties -->
<context:property-placeholder location="classpath:application.properties"/>
<mvc:annotation-driven/>
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="${jdbc.driverClassName}" />
<property name="url" value="${jdbc.url}" />
<property name="username" value="${jdbc.username}" />
<property name="password" value="${jdbc.password}" />
</bean>
<bean id="sessionFactory"
class="org.springframework.orm.hibernate4.LocalSessionFactoryBean">
<property name="dataSource">
<ref bean="dataSource" />
</property>
<property name="hibernateProperties">
<props>
<prop key="hibernate.dialect">org.hibernate.dialect.MySQLDialect</prop>
<prop key="hibernate.show_sql">true</prop>
</props>
</property>
<property name="packagesToScan" value="org.ngo.abhishek.entity"></property>
</bean>
<!-- Transaction -->
<bean id="transactionManager"
class="org.springframework.orm.hibernate4.HibernateTransactionManager">
<property name="sessionFactory" ref="sessionFactory" />
</bean>
<tx:annotation-driven transaction-manager="transactionManager" />
</beans>
@RestController
@RequestMapping("/abhishek")
public class AbhishekController {
@Autowired
private AbhisheskService abhishekService;
@RequestMapping(method=RequestMethod.POST,consumes="application/json")
@Secured("ROLE_USER")
public ResponseEntity<Boolean> getUserById(@RequestBody List<AbhishekDTO> abhishekDtoList) {
boolean flag = this.abhishekService.createAbhishek(abhishekDtoList);
return new ResponseEntity<Boolean>(flag, HttpStatus.OK);
}
}
@RestController
@请求映射(“/abhishek”)
公开级阿披实控制器{
@自动连线
私人abhishekService abhishekService;
@RequestMapping(method=RequestMethod.POST,consumes=“application/json”)
@安全(“角色\用户”)
public ResponseEntity getUserById(@RequestBody List abhishekDtoList){
布尔标志=this.abhishekService.createAbhishek(abhishekDtoList);
返回新的响应状态(标志,HttpStatus.OK);
}
}
我尝试了你的设置,它对我有效。由于您没有提供所有的代码,我的最佳猜测是您的控制器的Spring Security组件扫描没有发生,或者您的浏览器正在缓存并发送基本的身份验证凭据,而您却没有意识到这一点。从Stiletto获得线索后,我删除了@Security(“角色\用户”)
并使用基于表达式的安全检查。它成功了(使用截取url)。因此,问题在于@Secured的位置
由于@Secured
位于dispatcher servlet上下文(根据Spring原理,子上下文)中,而Spring安全范围位于applicationContext(父上下文)中,因此Spring安全性被忽略
将
放入mvc dispatcher servlet.xml
解决了这个问题
关于SO的类似问题:谢谢您的回复。我会检查这两件事