Spring安全映射

Question

Spring安全映射

yur*_*tos 1 java spring spring-mvc spring-security java-ee

我想限制访问我的文件上传功能.我在安全文件中写了拦截url,但是Spring Security没有映射这个URL.我使用3.0.3版本的spring security.这些是我的xml文件:

security.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans" 
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xmlns:security="http://www.springframework.org/schema/security"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                http://www.springframework.org/schema/security
                http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <security:global-method-security secured-annotations="enabled" />

    <http auto-config="true" use-expressions="true" access-denied-page="/forbidden.jsp">
        <intercept-url pattern="/files/**"/>
        <intercept-url pattern="/resources/**" filters="none"/>
        <form-login login-page="/login.htm" 
                    authentication-failure-url = "/login.htm?login_error=1" 
                    default-target-url="/forbidden.htm"/>
        <logout logout-success-url="/login.htm" />
        <anonymous username="guest" granted-authority="ROLE_ANONYMOUS" />
        <remember-me />
    </http>


    <beans:bean id="accountService" name="accountService" class="com.demo.service.impl.AccountServiceImpl" />

    <beans:bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
        <beans:property name="userDetailsService" ref="accountService"/>
    </beans:bean>

    <authentication-manager alias="authenticationManager">
        <authentication-provider user-service-ref="accountService" />
    </authentication-manager>
</beans:beans>

Run Code Online (Sandbox Code Playgroud)

dispatcher-servlet.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:aop="http://www.springframework.org/schema/aop"
       xmlns:tx="http://www.springframework.org/schema/tx"
       xmlns:mvc="http://www.springframework.org/schema/mvc"
       xmlns:context="http://www.springframework.org/schema/context"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
       http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd
       http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd 
       http://www.springframework.org/schema/mvc 
       http://www.springframework.org/schema/mvc/spring-mvc.xsd
       http://www.springframework.org/schema/context 
       http://www.springframework.org/schema/context/spring-context.xsd">

    <bean class="org.springframework.web.servlet.mvc.support.ControllerClassNameHandlerMapping"/>

    <mvc:annotation-driven />
    <context:component-scan base-package="com.demo"/>
    <mvc:resources mapping="/resources/**" location="/resources/" />


    <bean id="viewResolver"
          class="org.springframework.web.servlet.view.InternalResourceViewResolver"
          p:prefix="/WEB-INF/jsp/"
          p:suffix=".jsp" />

    <bean id="multipartResolver"
       class="org.springframework.web.multipart.commons.CommonsMultipartResolver"/>


</beans>

Run Code Online (Sandbox Code Playgroud)

web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            classpath:/application-dao.xml
            /WEB-INF/applicationContext.xml
            /WEB-INF/security.xml</param-value>
    </context-param>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    <servlet>
        <servlet-name>dispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>2</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>dispatcher</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>
<!--     Spring Security -->
  <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>
</web-app>

Run Code Online (Sandbox Code Playgroud)

Answer 1

Max*_*kov 6

为什么你认为Spring没有映射你的URL？

乍一看,映射看起来不错,但intercept-url还不完整.要为某人提供URL访问权限,您应该将该规则指向access属性.所以正确的拦截器将如下所示:

<intercept-url pattern="/files/**" access="isAuthenticated()" />

Run Code Online (Sandbox Code Playgroud)

在这种特殊情况下,只有经过身份验证的用户才能访问您的URL.

有关Spring Security安全功能的更多信息,请参阅官方教程.

很好的答案,应该注意的是,当来自问题的配置时,添加访问属性更像是限制访问,因为目前没有限制.标准方法也应该是默认限制区域的访问,然后只在必要时授予访问权限. (2认同)

归档时间：	12 年，3 月前
查看次数：	1627 次
最近记录：	9 年，11 月前