0
我有以下配置文件來配置我的web應用程序:春季安全配置信息,以永久身份驗證請求
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled" />
<!--
Filter chain; this is referred to from the web.xml file. Each filter
is defined and configured as a bean later on.
-->
<!-- Note: anonumousProcessingFilter removed. -->
<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map path-type="ant">
<security:filter-chain pattern="/**"
filters="securityContextPersistenceFilter,
basicAuthenticationFilter,
exceptionTranslationFilter,
filterSecurityInterceptor" />
</security:filter-chain-map>
</bean>
<!--
This filter is responsible for session management, or rather the lack
thereof.
-->
<bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
<property name="securityContextRepository">
<bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository">
<property name="allowSessionCreation" value="false" />
</bean>
</property>
</bean>
<!-- Basic authentication filter. -->
<bean id="basicAuthenticationFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
</bean>
<!-- Basic authentication entry point. -->
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<property name="realmName" value="Ayudo Web Service" />
</bean>
<!--
An anonymous authentication filter, which is chained after the normal authentication mechanisms and automatically adds an
AnonymousAuthenticationToken to the SecurityContextHolder if there is no existing Authentication held there.
-->
<!--
<bean id="anonymousProcessingFilter" class="org.springframework.security.web.authentication.AnonymousProcessingFilter">
<property name="key" value="ayudo" /> <property name="userAttribute" value="anonymousUser, ROLE_ANONYMOUS" /> </bean>
-->
<!--
Authentication manager that chains our main authentication provider
and anonymous authentication provider.
-->
<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
<property name="providers">
<list>
<ref local="daoAuthenticationProvider" />
<ref local="inMemoryAuthenticationProvider" />
<!-- <ref local="anonymousAuthenticationProvider" /> -->
</list>
</property>
</bean>
<!--
Main authentication provider; in this case, memory implementation.
-->
<bean id="inMemoryAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="propertiesUserDetails" />
</bean>
<security:user-service id="propertiesUserDetails" properties="classpath:operators.properties" />
<!-- Main authentication provider. -->
<bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsService" />
</bean>
<!--
An anonymous authentication provider which is chained into the ProviderManager so that AnonymousAuthenticationTokens are
accepted.
-->
<!--
<bean id="anonymousAuthenticationProvider" class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
<property name="key" value="ayudo" /> </bean>
-->
<bean id="userDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
<property name="dataSource" ref="dataSource" />
</bean>
<bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter">
<property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
<property name="accessDeniedHandler">
<bean class="org.springframework.security.web.access.AccessDeniedHandlerImpl" />
</property>
</bean>
<bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<property name="securityMetadataSource">
<security:filter-security-metadata-source use-expressions="true">
<security:intercept-url pattern="/*.html" access="permitAll" />
<security:intercept-url pattern="/version" access="permitAll" />
<security:intercept-url pattern="https://stackoverflow.com/users/activate" access="permitAll" />
<security:intercept-url pattern="/**" access="isAuthenticated()" />
</security:filter-security-metadata-source>
</property>
<property name="authenticationManager" ref="authenticationManager" />
<property name="accessDecisionManager" ref="accessDecisionManager" />
</bean>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<property name="decisionVoters">
<list>
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.web.access.expression.WebExpressionVoter" />
</list>
</property>
</bean>
只要我在Tomcat上運行我的申請,我得到了用戶名的請求/密碼基本認證對話框。即使當我嘗試訪問:localhost:8080/myapp/version(顯式設置爲permitAll),我也會得到認證請求對話框。幫幫我!
感謝, 薩米
我明白了,謝謝你。那麼在那種情況下,哪個更好:放回匿名認證過濾器,或者修改過濾器鏈式螞蟻模式以排除這些URL? 因此,如果我理解正確,permitAll僅僅是爲了授權目的。我確定將@secure標記放在我的服務層方法上,就是這樣嗎? – Sammy 2010-05-20 14:39:24
在我的回答中增加了更多內容 - 我認爲這就是您要找的內容。 – Gandalf 2010-05-20 17:15:42
其實,我試過......我得到:配置問題:屬性'過濾器'不允許在這裏。 – Sammy 2010-05-21 09:33:33