相关疑难解决方法(0)

任何人都可以解释何时覆盖configure(HttpSecurity),configure(WebSecurity)和configure(AuthenticationManagerBuilder)？

在经典的web.xml类型配置中,您可以配置上下文参数,如此

web.xml中

...
<context-param>
  <param-name>p-name</param-name>
  <param-value>-value</param-value>
</context-param>
...

如何在spring-boot中实现.我有一个需要参数的过滤器.

我正在使用@EnableAutoConfiguration并包含<artifactId>spring-boot-starter-jetty</artifactId>在我的pom中.

我想要ETag支持.为此目的,有一个ShallowEtagHeaderFilter完成所有工作.如何添加它而不在我的声明web.xml(实际上不存在,因为我到目前为止没有它的某种方式得到它)？

PS我使用Spring Boot 1.1.4

PPS这是一个完整的解决方案

package cuenation.api;

import org.springframework.boot.context.embedded.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.filter.ShallowEtagHeaderFilter;

import javax.servlet.DispatcherType;
import java.util.EnumSet;

@Configuration
public class WebConfig {

    @Bean
    public FilterRegistrationBean shallowEtagHeaderFilter() {
        FilterRegistrationBean registration = new FilterRegistrationBean();
        registration.setFilter(new ShallowEtagHeaderFilter());
        registration.setDispatcherTypes(EnumSet.allOf(DispatcherType.class));
        registration.addUrlPatterns("/cue-categories");
        return registration;
    }

}

我在web.xml中有一个简单的servlet配置:

<servlet>
    <servlet-name>appServlet</servlet-name>
    <servlet-class>org.atmosphere.cpr.MeteorServlet</servlet-class>
    <init-param>
        <param-name>org.atmosphere.servlet</param-name>
        <param-value>org.springframework.web.servlet.DispatcherServlet</param-value>
    </init-param>
    <init-param>
        <param-name>contextClass</param-name>
        <param-value>
            org.springframework.web.context.support.AnnotationConfigWebApplicationContext
        </param-value>
    </init-param>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>net.org.selector.animals.config.ComponentConfiguration</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
    <async-supported>true</async-supported>
</servlet>

<servlet-mapping>
    <servlet-name>appServlet</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

如何为SpringBootServletInitializer重写它？

我有一个使用spring安全性的Web应用程序.它使用<intercept-url ../>元素来描述不同URL的访问过滤器.默认情况下,这不会考虑url的请求参数.我需要根据请求参数设置url的自定义安全规则.所以我做了以下事情:

1)我创建了一个bean后处理器类,它将为spring安全机制启用请求参数选项:

<beans:beans>
    . . .
    <beans:bean class="MySecurityBeanPostProcessor">
        <beans:property name="stripQueryStringFromUrls" value="false" />
    </beans:bean>
    . . .
</beans:beans>

和代码:

public class MySecurityBeanPostProcessor implements BeanPostProcessor {

    private Boolean stripQueryStringFromUrls = null;

    @Override
    public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
        if (bean instanceof DefaultFilterInvocationSecurityMetadataSource && stripQueryStringFromUrls != null) {
            ((DefaultFilterInvocationSecurityMetadataSource) bean)
                .setStripQueryStringFromUrls(stripQueryStringFromUrls.booleanValue());
        }
        return bean;
    }

    // code stripped for clarity
}

这应该设置spring安全元数据源以考虑请求参数.我调试了上面的代码,stripQueryStringFromUrls正在设置属性.

2)在我的安全上下文xml中,我有以下定义:

<intercept-url pattern="/myUrl?param=value" access="!isAuthenticated() or hasRole('ROLE_GUEST')" />
<intercept-url pattern="/myUrl" filters="none" />
...
<intercept-url …

我正在尝试保护Spring Boot执行器端点.我在/apiREST界面上有安全性,但尝试在内置端点上添加安全性似乎不起作用.

我在我的端点中设置了端点分组application.properties:

management.context-path=/management

我在Java Config中有这个

@Override
protected void configure( HttpSecurity http ) throws Exception
{
    http.csrf().disable();
    http.sessionManagement().sessionCreationPolicy( SessionCreationPolicy.STATELESS );

    http.authorizeRequests()
        .antMatchers( "/api/**" ).hasRole( "READONLY" )
        .antMatchers( "/management/**" ).hasRole( "ADMIN" );


    SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurer = new XAuthTokenConfigurer( userDetailsServiceBean() );
    http.apply( securityConfigurer );
}

当我使用浏览器转到下面的任何内容时/api,我会按预期返回403.当去/ management/info例如,我看到JSON被返回,我也期望403.

我也尝试将其添加到我的application.properties文件中:

management.security.role=ADMIN

但这也没有帮助.

DEBUG输出显示:

2014-05-02 10:15:30 DEBUG [localhost-startStop-1] ExpressionBasedFilterInvocationSecurityMetadataSource - 
Adding web access control expression 'hasRole('ROLE_READONLY')', for Ant [pattern='/api/**']

2014-05-02 10:15:30 DEBUG [localhost-startStop-1] ExpressionBasedFilterInvocationSecurityMetadataSource - 
Adding …