Dar*_*ner 1 java spring-security spring-webflow
我正在使用Spring Framework 4.1.5,Spring Security 4.0.0.RC2,Spring Webflow 2.4.0.RELEASE和Tomcat 8.0.15.
我按照webflow 文档中的示例进行操作,但是我无法在表单bean中获取该文件.
表格
<form:form action="${flowExecutionUrl}" method="post" commandName="fileForm" enctype="multipart/form-data">
<form:input type="file" value="" path="multipartFileUpload"/>
<button type="submit" name="_eventId_forward"><spring:message code="signup.forward"/></button>
<sec:csrfInput/>
</form:form>
表单bean
public class FileForm implements Serializable {
private static final long serialVersionUID = 1L;
private transient MultipartFile multipartFileUpload;
public MultipartFile getMultipartFileUpload() {
return multipartFileUpload;
}
public void setMultipartFileUpload(final MultipartFile multipartFileUpload) {
this.multipartFileUpload = multipartFileUpload;
}
}
流动
<view-state id="companyLogo" view="signup/company-logo" model="fileForm">
<var name="fileForm" class="it.openex.pmcommonw.form.FileForm"/>
<transition on="back" to="chooseProfile" bind="false" validate="false"/>
<transition on="forward" to="companyInfo">
<evaluate expression="userCommonBean.uploadImage(fileForm)"/>
</transition>
</view-state>
支持对象
@Component
public class UserCommonBean {
public static void uploadImage(final FileForm fileForm) throws IOException, ServletException {
fileForm.getMultipartFileUpload(); // always null!!!
}
}
multipartResolver
@Bean
public CommonsMultipartResolver filterMultipartResolver() {
final CommonsMultipartResolver multipartResolver = new CommonsMultipartResolver();
multipartResolver.setMaxUploadSize(10 * 1024 * 1024);
multipartResolver.setMaxInMemorySize(1048576);
multipartResolver.setDefaultEncoding("UTF-8");
return multipartResolver;
}
webflow配置
@Configuration
public class WebFlowConfig extends AbstractFlowConfiguration {
@Autowired
TilesViewResolver viewResolver;
@Bean
public FlowDefinitionRegistry flowRegistry() {
return getFlowDefinitionRegistryBuilder()
.setFlowBuilderServices(flowBuilderServices())
.setBasePath("/WEB-INF/flows/")
.addFlowLocation("signup.xml", UrlMap.SIGNUP_WEBFLOW)
.addFlowLocation("user-edit.xml", UrlMap.PROFILE_EDIT_WEBFLOW)
.build();
}
@Bean
public FlowExecutor flowExecutor() {
return getFlowExecutorBuilder(flowRegistry()).build();
}
@Bean
public FlowHandlerAdapter flowHandlerAdapter() {
final FlowHandlerAdapter flowHandlerAdapter = new FlowHandlerAdapter();
flowHandlerAdapter.setFlowExecutor(flowExecutor());
return flowHandlerAdapter;
}
@Bean
public FlowHandlerMapping flowHandlerMapping() {
final FlowHandlerMapping flowHandlerMapping = new FlowHandlerMapping();
flowHandlerMapping.setFlowRegistry(flowRegistry());
// this has to be less than -1
flowHandlerMapping.setOrder(-2);
return flowHandlerMapping;
}
@Bean
public MvcViewFactoryCreator mvcViewFactoryCreator() {
final MvcViewFactoryCreator mvcViewFactoryCreator = new MvcViewFactoryCreator();
final List<ViewResolver> viewResolvers = Collections.singletonList(viewResolver);
mvcViewFactoryCreator.setViewResolvers(viewResolvers);
return mvcViewFactoryCreator;
}
@Bean
public FlowBuilderServices flowBuilderServices() {
return getFlowBuilderServicesBuilder().setViewFactoryCreator(mvcViewFactoryCreator())
.setValidator(localValidatorFactoryBean()).build();
}
@Bean
public LocalValidatorFactoryBean localValidatorFactoryBean() {
return new LocalValidatorFactoryBean();
}
}
Tomcat的内部context.xml我已经添加了allowCasualMultipartParsing="true"
调试应用程序我可以看到请求中的文件数据,如果我尝试将表单发布到普通控制器,我可以得到它.
我也尝试删除Spring Security,但它仍然无法在Spring WebFlow中运行.
在requestParameters对象中,只有3个对象:
日志中有一些相关的行
DEBUG 2015-03-13 18:03:15,053: org.springframework.web.multipart.support.MultipartFilter - Using MultipartResolver 'filterMultipartResolver' for MultipartFilter
DEBUG 2015-03-13 18:03:15,053: org.springframework.beans.factory.support.DefaultListableBeanFactory - Returning cached instance of singleton bean 'filterMultipartResolver'
DEBUG 2015-03-13 18:03:15,053: org.springframework.web.multipart.support.MultipartFilter - Resolving multipart request [/registrazione] with MultipartFilter
DEBUG 2015-03-13 18:03:15,060: org.springframework.web.multipart.commons.CommonsMultipartResolver - Found multipart file [multipartFileUpload] of size 469217 bytes with original filename [PoliziaMunicipale.png], stored in memory
....
DEBUG 2015-03-13 18:03:15,072: org.springframework.binding.mapping.impl.DefaultMapper - Beginning mapping between source [org.springframework.webflow.core.collection.LocalParameterMap] and target [it.openex.pmcommonw.form.FileForm]
DEBUG 2015-03-13 18:03:15,072: org.springframework.binding.mapping.impl.DefaultMapping - Adding mapping result [TargetAccessError@34bc31ea mapping = parameter:'execution' -> execution, code = 'propertyNotFound', error = true, errorCause = org.springframework.binding.expression.PropertyNotFoundException: Property not found, originalValue = 'e1s2', mappedValue = [null]]
DEBUG 2015-03-13 18:03:15,072: org.springframework.binding.mapping.impl.DefaultMapper - Completing mapping between source [org.springframework.webflow.core.collection.LocalParameterMap] and target [it.openex.pmcommonw.form.FileForm]; total mappings = 1; total errors = 1
该multipartFileUpload属性没有绑定在FileFormbean中.
我不确定它是否有用,但org.springframework.webflow.context.servlet.HttpServletRequestParameterMap在第52行
if (request instanceof MultipartHttpServletRequest) {
// ... process multipart data
}
它没有通过检查,因为请求是一个实例 org.springframework.security.web.context.HttpSessionSecurityContextRepository$Servlet3SaveToSessionRequestWrapper
我可以确认multipartRequest.getFile("file")也可以.
我不能启用org.springframework.web.multipart.support.MultipartFilter过滤器.
如果它被启用,multipartRequest是一个StandardMultipartHttpServletRequest包含a Servlet3SecurityContextHolderAwareRequestWrapper,包装a 的实例Servlet3SaveToSessionRequestWrapper,最后包含一个DefaultMultipartHttpServletRequest我需要的multipartFile 无法访问,但我无法得到它.
禁用它我能够得到它因为multipartRequest成为了一个实例 DefaultMultipartHttpServletRequest,但没有文件验证,并且CommonsMultipartResolver不遵守maxUploadSize限制.
另外,如果Tomcat启动异常,因为该文件对于Tomcat的maxPostSize限制而言太大,则异常会被我捕获,CustomAccessDeniedHandler因为它的类型是org.springframework.security.access.AccessDeniedException,并且错误消息是Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'..
查看请求对象,我可以看到原始的Tomcat异常org.apache.tomcat.util.http.fileupload.FileUploadBase$SizeLimitExceededException.似乎没有什么可以正确处理它,但是,正如我所说,如果我启用MultipartFilter我无法获取文件.
我们遇到了同样的问题,因为我们在Web应用程序中使用Spring Security 4.xx.问题是a org.springframework.security.web.context.HttpSessionSecurityContextRepository$Servlet3SaveToSessionRequestWrapper不是实例,org.springframework.web.multipart.MultipartHttpServletRequest但包含一个.演员将无法工作ClassCastException并将发生.
这就是原因
if (request instanceof MultipartHttpServletRequest) {
// ... process multipart data
}
永远不可能true.
这个想法是org.springframework.web.multipart.support.StandardMultipartHttpServletRequest从本地创建一个HttpServletRequest它的工作原理.
在我们的WebApp中,我们使用Spring Webflow文档6.5.1节中指出的Pojo动作.调用POJO操作.
我们的解决方法:
PojoAction.java
public String fileUpload(RequestContext requestContext) {
final ServletExternalContext context = (ServletExternalContext) requestContext.getExternalContext();
final MultipartHttpServletRequest multipartRequest = new StandardMultipartHttpServletRequest((HttpServletRequest)context.getNativeRequest());
final File file = multipartRequest.getFile("file");
fileUploadHandler.processFile(file); //do something with the submitted file
}
在flow.xml中,我们有一个这样的动作状态:
<action-state id="upload-action">
<evaluate expression="pojoAction.uploadFile(flowRequestContext)"/>
<transition to="show"/>
</action-state>
在这种情况下,不需要绑定到模型.我希望它有所帮助!
根据更新1
在web.xml中,CSRF保护过滤器必须在SpringSecurityFilterChain之前声明.
在我们的应用程序中,web.xml看起来像这样
<filter>
<filter-name>csrfFilter</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>csrfFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
| 归档时间: |
|
| 查看次数: |
2490 次 |
| 最近记录: |