我正在使用带有Java配置的Spring-Security 3.2.0.RC2.我设置了一个简单的HttpSecurity配置,要求/ v1/**上的基本身份验证.GET请求工作但POST请求失败:
HTTP Status 403 - Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.
Run Code Online (Sandbox Code Playgroud)
我的安全配置如下所示:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Resource
private MyUserDetailsService userDetailsService;
@Autowired
//public void configureGlobal(AuthenticationManagerBuilder auth)
public void configure(AuthenticationManagerBuilder auth)
throws Exception {
StandardPasswordEncoder encoder = new StandardPasswordEncoder();
auth.userDetailsService(userDetailsService).passwordEncoder(encoder);
}
@Configuration
@Order(1)
public static class RestSecurityConfig
extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/v1/**").authorizeRequests()
.antMatchers("/v1/**").authenticated()
.and().httpBasic();
}
}
}
Run Code Online (Sandbox Code Playgroud)
对此的任何帮助都非常感谢.
post csrf spring-security basic-authentication spring-java-config
为了使基本安全功能正常工作,我将以下启动包添加到我的pom.xml中
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
Run Code Online (Sandbox Code Playgroud)
并在application.properties中添加了以下两个属性:
security.user.name = guest
security.user.password = tiger
现在当我点击我的主页时,我得到了登录框并且登录按预期工作.
现在我想实现'注销'功能.基本上,当用户点击链接时,她会被注销.我注意到登录不会在我的浏览器中添加任何cookie.我假设Spring Security为用户创建了一个HttpSession对象.真的吗?我是否需要"使此会话无效"并将用户重定向到其他页面?在基于Sprint Boot的应用程序中实现"注销"功能的最佳方法是什么?
我想使用Spring Security Facelets标记库来保护我的JSF 2页面中的UI组件
我有春天安全版3.0.5的以下依赖项:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>${spring-security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${spring-security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${spring-security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>${spring-security.version}</version>
</dependency>
Run Code Online (Sandbox Code Playgroud)
我配置了applicationSecurity.xml以进行spring安全性登录,它可以与UserDetailsService一起使用,并且在尝试添加安全性定义时:
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:ice="http://www.icesoft.com/icefaces/component"
xmlns:pretty="http://ocpsoft.com/prettyfaces"
xmlns:sec="http://www.springframework.org/security/tags">
Run Code Online (Sandbox Code Playgroud)
当运行应用程序时,我得到以下错误:
Warning: This page calls for XML namespace http://www.springframework.org/security/tags declared with prefix sec but no taglibrary exists for that namespace.
Run Code Online (Sandbox Code Playgroud)
参考:http://static.springsource.org/spring-security/site/petclinic-tutorial.html
请指教.
我有一个使用spring安全性的Web应用程序.它使用<intercept-url ../>元素来描述不同URL的访问过滤器.默认情况下,这不会考虑url的请求参数.我需要根据请求参数设置url的自定义安全规则.所以我做了以下事情:
1)我创建了一个bean后处理器类,它将为spring安全机制启用请求参数选项:
<beans:beans>
. . .
<beans:bean class="MySecurityBeanPostProcessor">
<beans:property name="stripQueryStringFromUrls" value="false" />
</beans:bean>
. . .
</beans:beans>
Run Code Online (Sandbox Code Playgroud)
和代码:
public class MySecurityBeanPostProcessor implements BeanPostProcessor {
private Boolean stripQueryStringFromUrls = null;
@Override
public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
if (bean instanceof DefaultFilterInvocationSecurityMetadataSource && stripQueryStringFromUrls != null) {
((DefaultFilterInvocationSecurityMetadataSource) bean)
.setStripQueryStringFromUrls(stripQueryStringFromUrls.booleanValue());
}
return bean;
}
// code stripped for clarity
}
Run Code Online (Sandbox Code Playgroud)
这应该设置spring安全元数据源以考虑请求参数.我调试了上面的代码,stripQueryStringFromUrls正在设置属性.
2)在我的安全上下文xml中,我有以下定义:
<intercept-url pattern="/myUrl?param=value" access="!isAuthenticated() or hasRole('ROLE_GUEST')" />
<intercept-url pattern="/myUrl" filters="none" />
...
<intercept-url …Run Code Online (Sandbox Code Playgroud) 环境 :
雄猫8
Spring Boot 1.5
JSF 2.2
Apache MyFaces
Spring MVC
代码:
我在Servlet 3.0环境中集成了Spring Boot和JSF 2.2.
配置类:
JSFConfig.java - JSF的配置.
@Configuration
@ComponentScan({"com.atul.jsf"})
public class JSFConfig {
@Bean
public ServletRegistrationBean servletRegistrationBean() {
FacesServlet servlet = new FacesServlet();
return new ServletRegistrationBean(servlet, "*.jsf");
}
}
Run Code Online (Sandbox Code Playgroud)
Spring Boot主类:
@SpringBootApplication
@Import({ // @formatter:off
JPAConfig.class,
ServiceConfig.class, // this contains UserServiceImpl.java class.
WebConfig.class,
JSFConfig.class,
})
public class SpringbootJpaApplication extends SpringBootServletInitializer{
public static void main(String[] args) {
SpringApplication.run(SpringbootJpaApplication.class, args);
}
@Override
protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
return …Run Code Online (Sandbox Code Playgroud)