1. 首頁
  2. 問答
  3. 不能得到spring-security.xml正確

不能得到spring-security.xml正確

2011-05-12 33 views
1

我有我的春季安全設置爲基本身份驗證到數據庫沒有問題,但是我想添加自定義登錄/註銷和管理頁面以及MD5加密上密碼瓦特/鹽。不能得到spring-security.xml正確

我不斷嘗試讓這些功能中的任何一個工作,並且所有在線示例似乎都在使用和聲明,而不是像我一樣使用bean聲明。這使得它更加困難,因爲示例中的選項似乎不能直接轉化爲bean屬性。

這是我的web.xml - 我使用的Spring Security 3.0:

<?xml version="1.0" encoding="UTF-8"?> 
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"> 
<context-param> 
    <param-name>contextConfigLocation</param-name> 
    <param-value> 
     /WEB-INF/applicationContext.xml 
     /WEB-INF/builder-servlet.xml 
     /WEB-INF/builder-service.xml 
     /WEB-INF/builder-data.xml 
     /WEB-INF/builder-security.xml 
    </param-value> 
</context-param> 

<servlet> 
    <servlet-name>builder</servlet-name> 
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> 
    <load-on-startup>2</load-on-startup> 
</servlet> 
<servlet-mapping> 
    <servlet-name>builder</servlet-name> 
    <url-pattern>*.htm</url-pattern> 
    <url-pattern>*.docx</url-pattern> 
</servlet-mapping> 

<filter> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
    <init-param> 
     <param-name>targetClass</param-name> 
     <param-value>org.springframework.security.web.FilterChainProxy</param-value> 
    </init-param> 
</filter> 
<filter-mapping> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping> 

<listener> 
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 
</listener> 

<session-config> 
    <session-timeout> 
     30 
    </session-timeout> 
</session-config> 
<welcome-file-list> 
    <welcome-file>redirect.jsp</welcome-file> 
</welcome-file-list> 
</web-app>

,這裏是我的建設者安全(介意解體):

<beans xmlns="http://www.springframework.org/schema/beans" 
    xmlns:s="http://www.springframework.org/schema/security" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
         http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
         http://www.springframework.org/schema/security 
         http://www.springframework.org/schema/security/spring-security-3.0.xsd"> 

<!--<s:authentication-manager> 
    <s:authentication-provider ref="authenticationProvider"/> 
</s:authentication-manager>--> 

<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy"> 
    <s:filter-chain-map path-type="ant"> 
     <s:filter-chain pattern="/**" 
      filters="securityContextPersistenceFilter, 
        exceptionTranslationFilter, 
        authenticationProcessingFilter, 
        filterSecurityInterceptor, 
        anonymousAuthenticationFilter"/> 
    </s:filter-chain-map> 
</bean> 

<bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter"/> 

<bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter"> 
    <property name="authenticationEntryPoint" ref="authenticationEntryPoint"/> 
</bean> 

<bean id="authenticationProcessingFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter"> 
    <property name="authenticationManager" ref="authenticationManager"/> 
    <property name="authenticationEntryPoint" ref="authenticationEntryPoint"/> 
</bean> 

<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager"> 
    <property name="providers"> 
     <list> 
      <ref bean="authenticationProvider"/> 
      <ref bean="anonymousAuthenticationProvider"/> 
     </list> 
    </property> 
</bean> 

<bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> 
    <!--<property name="passwordEncoder" ref="md5PasswordEncoder"/>--> 
    <!--<property name="saltSource" ref="systemWideSaltSource"/>--> 
    <property name="userDetailsService" ref="authenticationDao"/> 
    <property name="userCache" ref="userCache"/> 
</bean> 

<bean id="md5PasswordEncoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"> 

</bean> 

<bean id="systemWideSaltSource" class="org.springframework.security.authentication.dao.SystemWideSaltSource"> 
    <property name="systemWideSalt" value="XXXX"/> 
</bean> 

<bean id="userCache" class="org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache"> 
    <property name="cache" ref="ehcache"/> 
</bean> 

<bean id="ehcache" class="org.springframework.cache.ehcache.EhCacheFactoryBean"> 
    <property name="cacheManager" ref="cacheManager"/> 
    <property name="cacheName" value="userCache"/> 
</bean> 

<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"> 
    <property name="configLocation" value="ehcache.xml"/> 
</bean> 

<bean id="authenticationDao" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl"> 
    <property name="dataSource" ref="dataSource"/> 
</bean> 

<!--<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint"> 
    <property name="realmName" value="SpecBuilder"/> 
</bean>--> 
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> 
    <property name="loginFormUrl" value="/login.html"/> 
</bean> 

<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased"> 
    <property name="decisionVoters"> 
     <list> 
      <ref bean="voter"/> 
     </list> 
    </property> 
</bean> 

<bean id="voter" class="org.springframework.security.access.vote.RoleVoter"> 
    <property name="rolePrefix" value="ROLE_"/> 
</bean> 

<bean id="anonymousAuthenticationFilter" class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter"> 
    <property name="key" value="foobar"/> 
    <property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/> 
</bean> 

<bean id="anonymousAuthenticationProvider" class="org.springframework.security.authentication.AnonymousAuthenticationProvider"> 
    <property name="key" value="foobar"/> 
</bean> 

<bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor"> 
    <property name="authenticationManager" ref="authenticationManager"/> 
    <property name="accessDecisionManager" ref="accessDecisionManager"/> 
    <property name="objectDefinitionSource"> 
     <s:filter-invocation-definition-source> 
      <s:intercept-url pattern="/login*" access="ROLE_ANONYMOUS"/> 
      <s:intercept-url pattern="/**" access="ROLE_USER"/> <!-- isAuthenticated() probably better --> 
     </s:filter-invocation-definition-source> 
    </property> 
</bean> 

</beans>

現在我想爲了獲得所有匿名訪問的login.html,但我得到的只是一個無限的安全循環。

是否有一個原因,我不應該爲此使用bean聲明?因爲並不是很多人似乎這樣做。如果沒有優勢,我寧願不改變整個事情。必須有一些錯誤或更好的地方去獲取bean聲明引用和示例,因爲大多數搜索都會提供另一種實現spring安全性的方式。

來源

2011-05-12 zclark

回答

1

經過一段時間的研究和測試,我已經解決了它。 內置的安全名稱空間爲您完成了大量工作。通過bean創建每個過濾器和管理器bean是一種定製事物的好方法,但它使得它變得更加困難並且不是必須的。

我的最終代碼包含一個自定義用戶類,它包含一個salt值和一個自定義dao類來強制使用salt。其他一切都是通過使用安全名稱空間完成的。

建設者-security.xml文件

<beans xmlns="http://www.springframework.org/schema/beans" 
    xmlns:s="http://www.springframework.org/schema/security" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
         http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
         http://www.springframework.org/schema/security 
         http://www.springframework.org/schema/security/spring-security-3.0.xsd"> 

<s:http auto-config="true" use-expressions="true"> 
    <s:intercept-url pattern="/login*" access="permitAll"/> 
    <s:intercept-url pattern="/*" access="hasRole('ROLE_USER') or hasRole('ROLE_ADMIN')"/> 
    <s:form-login login-page="/login.html"/> 
    <s:logout logout-url="/logout"/> 
</s:http> 

<s:authentication-manager alias="authenticationManager"> 
    <s:authentication-provider user-service-ref="userDetailsService"> 
     <s:password-encoder ref="passwordEncoder"> 
      <s:salt-source ref="saltSource"/> 
     </s:password-encoder>    
    </s:authentication-provider> 
</s:authentication-manager> 

<bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"/> 

<bean class="org.springframework.security.authentication.dao.ReflectionSaltSource" id="saltSource"> 
    <property name="userPropertyToUse" value="salt"/> 
</bean> 

<bean id="userDetailsService" class="builder.webapp.security.CustomJdbcDaoImpl"> 
    <property name="dataSource" ref="dataSource"/> 
    <property name="enableAuthorities" value="true"/> 
    <property name="enableGroups" value="false"/> 
    <property name="usersByUsernameQuery" 
       value="select username,password,enabled,salt from users where username = ?"/> 
</bean> 

</beans>

來源

2011-05-20 00:38:31 zclark

相關問題

 相關問題