Fatal编程技术网
  • spring/
  • Spring MVC REST+;Spring Security+;基本身份验证

Spring MVC REST+;Spring Security+;基本身份验证

spring rest spring-mvc spring-security

Spring MVC REST+;Spring Security+;基本身份验证,spring,rest,spring-mvc,spring-security,Spring,Rest,Spring Mvc,Spring Security,环境: <?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans" xsi:sc

环境:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xsi:schemaLocation="
        http://www.springframework.org/schema/security 
        http://www.springframework.org/schema/security/spring-security-4.0.xsd
        http://www.springframework.org/schema/beans 
        http://www.springframework.org/schema/beans/spring-beans-4.1.xsd">

    <http use-expressions="true" create-session="stateless">
        <http-basic/>
       <csrf disabled="true"/> 
    </http>

    <global-method-security secured-annotations="enabled"/>

    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="XYZ" password="12345" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>

</beans:beans>
春季4.1

SpringSecurity 4.0

问题:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xsi:schemaLocation="
        http://www.springframework.org/schema/security 
        http://www.springframework.org/schema/security/spring-security-4.0.xsd
        http://www.springframework.org/schema/beans 
        http://www.springframework.org/schema/beans/spring-beans-4.1.xsd">

    <http use-expressions="true" create-session="stateless">
        <http-basic/>
       <csrf disabled="true"/> 
    </http>

    <global-method-security secured-annotations="enabled"/>

    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="XYZ" password="12345" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>

</beans:beans>
我正在使用Spring4.1开发一个简单的REST服务。以及使用Spring安全性进行身份验证。 我正在使用HTTP基本身份验证

问题是,即使在所有配置都正确之后,基本身份验证也无法工作。 我正在使用邮递员向服务器发送请求。 REST客户端可以在没有授权头的情况下调用REST控制器方法。 该方法在没有任何身份验证错误的情况下成功执行

因为我使用的是Tomcat6,所以我没有使用Servlet3.0特性,所以web.xml确实存在。 在REST控制器层上使用
@Secured
注释实现了方法级安全性

谁能帮我弄清楚我哪里出了问题吗

代码:

web.xml

<web-app>
    <display-name>Archetype Created Web Application</display-name>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    <listener>
        <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
    </listener> 

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/mvc-dispatcher-servlet-security.xml</param-value>
    </context-param>

    <servlet>
        <servlet-name>mvc-dispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>/WEB-INF/mvc-dispatcher-servlet.xml</param-value>
        </init-param>       
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>mvc-dispatcher</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>REQUEST</dispatcher>      
    </filter-mapping>

</web-app>


Web应用程序创建的原型
org.springframework.web.context.ContextLoaderListener
org.springframework.web.context.request.RequestContextListener
上下文配置位置
/WEB-INF/mvc-dispatcher-servlet-security.xml
mvc调度器
org.springframework.web.servlet.DispatcherServlet
上下文配置位置
/WEB-INF/mvc-dispatcher-servlet.xml
1.
mvc调度器
/
springSecurityFilterChain
org.springframework.web.filter.DelegatingFilterProxy
springSecurityFilterChain
/*
向前地
要求
mvc-servlet-dispatcher-security.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xsi:schemaLocation="
        http://www.springframework.org/schema/security 
        http://www.springframework.org/schema/security/spring-security-4.0.xsd
        http://www.springframework.org/schema/beans 
        http://www.springframework.org/schema/beans/spring-beans-4.1.xsd">

    <http use-expressions="true" create-session="stateless">
        <http-basic/>
       <csrf disabled="true"/> 
    </http>

    <global-method-security secured-annotations="enabled"/>

    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="XYZ" password="12345" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>

</beans:beans>
mvc-dispatcher-servlet.xml:

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tx="http://www.springframework.org/schema/tx"
    xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

    <!-- Specifying base package of the Components like Controller, Service, DAO -->
    <context:component-scan base-package="org.ngo" />
    <!-- Getting Database properties -->
    <context:property-placeholder location="classpath:application.properties"/>

    <mvc:annotation-driven/>

    <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
        <property name="driverClassName" value="${jdbc.driverClassName}" />
        <property name="url" value="${jdbc.url}" />
        <property name="username" value="${jdbc.username}" />
        <property name="password" value="${jdbc.password}" />
    </bean>

    <bean id="sessionFactory"
        class="org.springframework.orm.hibernate4.LocalSessionFactoryBean">
        <property name="dataSource">
            <ref bean="dataSource" />
        </property>
        <property name="hibernateProperties">
            <props>
                <prop key="hibernate.dialect">org.hibernate.dialect.MySQLDialect</prop>
                <prop key="hibernate.show_sql">true</prop>              
            </props>
        </property>
        <property name="packagesToScan" value="org.ngo.abhishek.entity"></property>
    </bean>

    <!-- Transaction -->
    <bean id="transactionManager"
        class="org.springframework.orm.hibernate4.HibernateTransactionManager">
        <property name="sessionFactory" ref="sessionFactory" />
    </bean>

    <tx:annotation-driven transaction-manager="transactionManager" />
</beans>

@RestController
@RequestMapping("/abhishek")
public class AbhishekController {

    @Autowired
    private AbhisheskService abhishekService;

    @RequestMapping(method=RequestMethod.POST,consumes="application/json")
    @Secured("ROLE_USER")
    public ResponseEntity<Boolean> getUserById(@RequestBody List<AbhishekDTO> abhishekDtoList) {

        boolean flag = this.abhishekService.createAbhishek(abhishekDtoList);    
        return new ResponseEntity<Boolean>(flag, HttpStatus.OK);     
    }

}


org.hibernate.dialogue.mysqldialogue
真的
REST控制器:

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tx="http://www.springframework.org/schema/tx"
    xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

    <!-- Specifying base package of the Components like Controller, Service, DAO -->
    <context:component-scan base-package="org.ngo" />
    <!-- Getting Database properties -->
    <context:property-placeholder location="classpath:application.properties"/>

    <mvc:annotation-driven/>

    <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
        <property name="driverClassName" value="${jdbc.driverClassName}" />
        <property name="url" value="${jdbc.url}" />
        <property name="username" value="${jdbc.username}" />
        <property name="password" value="${jdbc.password}" />
    </bean>

    <bean id="sessionFactory"
        class="org.springframework.orm.hibernate4.LocalSessionFactoryBean">
        <property name="dataSource">
            <ref bean="dataSource" />
        </property>
        <property name="hibernateProperties">
            <props>
                <prop key="hibernate.dialect">org.hibernate.dialect.MySQLDialect</prop>
                <prop key="hibernate.show_sql">true</prop>              
            </props>
        </property>
        <property name="packagesToScan" value="org.ngo.abhishek.entity"></property>
    </bean>

    <!-- Transaction -->
    <bean id="transactionManager"
        class="org.springframework.orm.hibernate4.HibernateTransactionManager">
        <property name="sessionFactory" ref="sessionFactory" />
    </bean>

    <tx:annotation-driven transaction-manager="transactionManager" />
</beans>

@RestController
@RequestMapping("/abhishek")
public class AbhishekController {

    @Autowired
    private AbhisheskService abhishekService;

    @RequestMapping(method=RequestMethod.POST,consumes="application/json")
    @Secured("ROLE_USER")
    public ResponseEntity<Boolean> getUserById(@RequestBody List<AbhishekDTO> abhishekDtoList) {

        boolean flag = this.abhishekService.createAbhishek(abhishekDtoList);    
        return new ResponseEntity<Boolean>(flag, HttpStatus.OK);     
    }

}

@RestController
@请求映射(“/abhishek”)
公开级阿披实控制器{
@自动连线
私人abhishekService abhishekService;
@RequestMapping(method=RequestMethod.POST,consumes=“application/json”)
@安全(“角色\用户”)
public ResponseEntity getUserById(@RequestBody List abhishekDtoList){
布尔标志=this.abhishekService.createAbhishek(abhishekDtoList);
返回新的响应状态(标志,HttpStatus.OK);
}
}
我尝试了你的设置,它对我有效。由于您没有提供所有的代码,我的最佳猜测是您的控制器的Spring Security组件扫描没有发生,或者您的浏览器正在缓存并发送基本的身份验证凭据,而您却没有意识到这一点。

从Stiletto获得线索后,我删除了
@Security(“角色\用户”)
并使用基于表达式的安全检查。它成功了(使用截取url)。因此,问题在于@Secured的位置

由于
@Secured
位于dispatcher servlet上下文(根据Spring原理,子上下文)中,而Spring安全范围位于applicationContext(父上下文)中,因此Spring安全性被忽略

放入
mvc dispatcher servlet.xml
解决了这个问题

关于SO的类似问题:

谢谢您的回复。我会检查这两件事