spring security-使用<;http>;元素?
当我们在xml文件中使用spring security-使用<;http>;元素?,spring,spring-security,spring-3,Spring,Spring Security,Spring 3,当我们在xml文件中使用元素时,会注册一组默认的过滤器。提到了过滤器的顺序(无论我们选择应用哪个),并且在上面提到: <bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy"> <constructor-arg> <list> <sec:filter-chain pattern="/restful/**" filter
元素时,会注册一组默认的过滤器。提到了过滤器的顺序(无论我们选择应用哪个),并且在上面提到:
<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<constructor-arg>
<list>
<sec:filter-chain pattern="/restful/**" filters="
securityContextPersistenceFilterWithASCFalse,
basicAuthenticationFilter,
exceptionTranslationFilter,
filterSecurityInterceptor" />
<sec:filter-chain pattern="/**" filters="
securityContextPersistenceFilterWithASCTrue,
formLoginFilter,
exceptionTranslationFilter,
filterSecurityInterceptor" />
</list>
</constructor-arg>
</bean>
这是我的springSecurity.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:aop="http://www.springframework.org/schema/aop"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop.xsd">
<aop:aspectj-autoproxy proxy-target-class="true" />
<beans:bean class="com.gwt.ss.GwtExceptionTranslator" />
<global-method-security secured-annotations="enabled" access-decision-manager-ref="methodSecurityAccessDecisionManager"/>
<http use-expressions="true" auto-config="false" disable-url-rewriting="true" access-decision-manager-ref="urlSecurityAccessDecisionManager">
<intercept-url pattern="/favicon.ico" filters="none" />
<intercept-url pattern="/login.jsp" filters="none" />
<!-- Allow access only to admins and superadmins for the following 2 url patterns -->
<intercept-url pattern="/do/admin/*" access="hasAdminStatus(3,4)" />
<intercept-url pattern="/admin/*" access="hasAdminStatus(3,4)" />
<intercept-url pattern="/**/*.html" access="isAuthenticated()" /> <!-- access="isAuthenticated()"-->
<intercept-url pattern="/do/**" access="isAuthenticated()" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<custom-filter after="FILTER_SECURITY_INTERCEPTOR" ref="switchUserProcessingFilter"/>
<form-login login-page="/login" login-processing-url="/do/login" authentication-failure-url="/login?authfailed=true" authentication-success-handler-ref="myAuthenticationSuccessHandler"/>
<!-- Using success-handler-ref instead of logout-success-url for asynchronous logout. -->
<logout invalidate-session="true" success-handler-ref="logoutSuccessHandler" logout-url="/do/logout" />
</http>
<beans:bean id="urlSecurityAccessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<beans:property name="decisionVoters">
<beans:list>
<beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
<beans:property name="expressionHandler" ref="myWebSecurityExpressionHandler"/>
</beans:bean>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id="myWebSecurityExpressionHandler" class="org.daud.common.server.security.MyWebSecurityExpressionHandler"/>
<beans:bean id="myWebSecurityExpressionRoot" class="org.daud.common.server.security.MyWebSecurityExpressionRoot" scope="prototype"/>
<!-- For asynchronous login -->
<beans:bean id="methodSecurityAccessDecisionManager"
class="org.springframework.security.access.vote.AffirmativeBased">
<beans:property name="decisionVoters">
<beans:list>
<beans:bean class="org.springframework.security.access.vote.RoleVoter" p:rolePrefix="" />
<beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
<beans:bean class="org.daud.common.server.security.AllowPrivilegedRolesVoter">
<beans:property name="privilegedRoleTypes">
<beans:set>
<beans:value>ROOT</beans:value>
</beans:set>
</beans:property>
</beans:bean>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean class="com.gwt.ss.GwtUsernamePasswordAuthority">
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<beans:bean id="myAuthenticationSuccessHandler" class="org.daud.common.server.security.myAuthenticationSuccessHandler">
<!-- If redirection after logging in is to URLs containing these strings, the redirection will instead be to '/' -->
<beans:property name="partialURLsRequiringRedirection">
<beans:list>
<beans:value>/do/</beans:value>
<beans:value>/exitUser</beans:value>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id="userSwitchSuccessHandler" class="org.daud.common.server.security.myUserSwitchSuccessHandler"/>
<beans:bean id="userServices" class="org.daud.common.server.security.myUserServices"/>
<beans:bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
<beans:property name="userDetailsService" ref="userServices" />
<beans:property name="switchUserUrl" value="/admin/switchUser" />
<beans:property name="exitUserUrl" value="/admin/exitUser" />
<beans:property name="successHandler" ref="userSwitchSuccessHandler"></beans:property>
</beans:bean>
<!-- For asynchronous logout -->
<beans:bean id="logoutSuccessHandler" class="com.gwt.ss.GwtLogoutSuccessHandler" p:logoutSuccessUrl="/login" />
<beans:bean id="myAuthenticationProvider" class="org.daud.common.server.security.myAuthenticationProvider" />
<authentication-manager alias="authenticationManager">
<authentication-provider ref="myAuthenticationProvider" />
</authentication-manager>
</beans:beans>
根
/做/
/出口者
几乎完整的Spring Security的过滤器类型列表,尽管要拥有所有过滤器类型,您可以在秒中显示所有的子类并读取,因为,例如,您可以从几个实现中选择一个(并通过扩展现有过滤器或GenericFilterBean添加您自己的实现)
这里的示例通过元素使用FilterChainProxy
的bean配置,并且不是默认链-您必须明确定义自己的链,以便对请求应用过滤器
另一方面,您询问的是
元素:它具有以下功能:
<http>
<form-login />
<http-basic />
<logout />
</http>
如果打开org.springframework.security.web.FilterChainProxy的调试日志记录,您将看到,对于每个请求,它通过的每个过滤器
例如(我也在使用SpringSecurityOAuth)
如果希望以编程方式获取过滤器,可以注入FilterChainProxy
并获取filterChainMap
的值
例如:
<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<constructor-arg>
<list>
<sec:filter-chain pattern="/anonym/**" filters="
anonymousAuthenticationFilter" />
<sec:filter-chain pattern="/**" filters="none" />
</list>
</constructor-arg>
</bean>
<bean id="anonymousAuthenticationFilter"
class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
<property name="key" value="foobar"/>
<property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
</bean>
<bean id="authenticationManager"
class="org.springframework.security.authentication.ProviderManager">
<property name="providers">
<list>
<ref local="anonymousAuthenticationProvider"/>
</list>
</property>
</bean>
<bean id="anonymousAuthenticationProvider"
class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
<property name="key" value="foobar"/>
</bean>
@Autowired var filterChainProxy: FilterChainProxy = _
//...
val filterChains = filterChainProxy.getFilterChainMap.values
如果您只想查看
添加的过滤器,那么您应该查看HttpSecurityBeanDefinitionParser
的源代码,您可以在SpringSecurity3.1中执行的另一项操作是添加
<sec:debug />
或
@EnableWebSecurity(debug=true)
添加到应用程序上下文。这将添加一个额外的筛选器,该筛选器将(以及其他内容)报告将应用于每个请求的安全筛选器列表。谢谢。但我没有配置过匿名身份验证过滤器或RequestCacheAwareFilter。自动配置元素也是“false”。我没有id为FilterChainProxy的bean。不知何故,所有这些都是自动配置的。我的xml文件中确实有和,但我怀疑他们是否在为我设置过滤链。谢谢。我在找那个。HttpSecurityBeanDefinitionParser将为我们提供默认链,我们可以通过在xml文件中定义filterchainProxy来覆盖这个默认链。是吗?是的,但它们是相互排斥的。您可以定义自己的FilterChainProxy
bean,也可以使用
,但不能同时使用两者。或者,您可以替换过滤器,或者在
设置的过滤器链中添加/删除过滤器链。我刚刚要写的是启用调试:)如何为org.springframework.security.web.FilterChainProxy打开调试日志记录?如何配置Spring日志记录:使用注释,我甚至可以看到请求的HTTP堆栈!!!令人惊叹的!!!我在的帮助下为非产品配置文件添加它
@Autowired var filterChainProxy: FilterChainProxy = _
//...
val filterChains = filterChainProxy.getFilterChainMap.values
<sec:debug />