1. 首頁
  2. 問答
  3. 如何使用Spring Security安全地實現Struts2 Rest服務Oauth

如何使用Spring Security安全地實現Struts2 Rest服務Oauth

2015-09-15 146 views
1

我與Spring安全Oauth的配置合作,在Struts2應用程序上使用它來保護其他Web服務。 我已經使用彈簧安全很長一段時間了。如何使用Spring Security安全地實現Struts2 Rest服務Oauth

這個問題,如果我非常清楚,Spring安全性Oauth需要在root上設置spring mvc dispatcher。這與Struts2相沖突。

這裏是我的嘗試

2)Struts2的根和Spring MVC上/ OAuth的/ *

<!-- Struts 2 --> 
    <filter> 
     <filter-name>struts2</filter-name> 
     <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class> 
    </filter> 
    <filter-mapping> 
     <filter-name>struts2</filter-name> 
     <url-pattern>/*</url-pattern> 
    </filter-mapping> 
    <filter-mapping> 
     <filter-name>struts2</filter-name> 
     <url-pattern>/struts/*</url-pattern> 
    </filter-mapping> 

<servlet> 
     <servlet-name>mvc-dispatcher</servlet-name> 
     <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> 
     <load-on-startup>1</load-on-startup> 
    </servlet> 

    <servlet-mapping> 
     <servlet-name>mvc-dispatcher</servlet-name> 
     <url-pattern>/*</url-pattern> 
    </servlet-mapping>

這是OAuth確定,但Struts2的不工作了。

1)的Struts2和Spring MVC根

<!-- Struts 2 --> 
    <filter> 
     <filter-name>struts2</filter-name> 
     <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class> 
    </filter> 
    <filter-mapping> 
     <filter-name>struts2</filter-name> 
     <url-pattern>/*</url-pattern> 
    </filter-mapping> 
    <filter-mapping> 
     <filter-name>struts2</filter-name> 
     <url-pattern>/struts/*</url-pattern> 
    </filter-mapping> 

<servlet> 
     <servlet-name>mvc-dispatcher</servlet-name> 
     <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> 
     <load-on-startup>1</load-on-startup> 
    </servlet> 

    <servlet-mapping> 
     <servlet-name>mvc-dispatcher</servlet-name> 
     <url-pattern>/oauth/*</url-pattern> 
    </servlet-mapping>

Struts2的,OAuth是承認的權利,但響應是在/令牌而不是/的OAuth /令牌,所以我得到一個404錯誤作出。

彈簧security.xml文件的提取物是在這裏:

<http pattern="/oauth/token" create-session="stateless" 
     authentication-manager-ref="clientAuthenticationManager" 
     xmlns="http://www.springframework.org/schema/security"> 
     <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" /> 
     <anonymous enabled="false" /> 
     <http-basic entry-point-ref="clientAuthenticationEntryPoint" /> 
     <!-- include this only if you need to authenticate clients via request 
      parameters --> 
     <custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER" /> 
     <access-denied-handler ref="oauthAccessDeniedHandler" /> 

</http> 

<!-- This is where we tells spring security what URL should be protected 
    and what roles have access to them --> 
<http pattern="/api/**.api" create-session="never" 
    entry-point-ref="oauthAuthenticationEntryPoint" 
    access-decision-manager-ref="accessDecisionManager" 
    xmlns="http://www.springframework.org/schema/security"> 
    <anonymous enabled="false" /> 
    <intercept-url pattern="/api/**.api" access="ROLE_API" /> 
    <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /> 
    <access-denied-handler ref="oauthAccessDeniedHandler" /> 
</http>

來源

2015-09-15 Rydermark

+0

萊德,如果你已找到答案,請將其發佈給其他人。他們正在要求並刪除他們的答案。謝謝。當然,你還沒有登錄過一個月,所以沒有人屏住呼吸。 – Drew

回答

0

的解決方案是使用2個不同的調度程序春季:

<servlet> 
    <servlet-name>mvc-dispatcher</servlet-name> 
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> 
    <load-on-startup>1</load-on-startup> 
</servlet> 
<servlet-mapping> 
    <servlet-name>mvc-dispatcher</servlet-name> 
    <url-pattern>/oauth/*</url-pattern> 
</servlet-mapping> 

<servlet> 
    <servlet-name>rest-dispatcher</servlet-name> 
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> 
    <load-on-startup>1</load-on-startup> 
</servlet> 
<servlet-mapping> 
    <servlet-name>rest-dispatcher</servlet-name> 
    <url-pattern>/restapi/*</url-pattern> 
</servlet-mapping>

一個用於休息WS,另一個用於securization。

此後你打賭令牌不是/的OAuth /令牌,但對/ OAuth的/的OAuth /令牌

爲了解決這個問題,你必須重複春季安全參數:

<http pattern="/oauth/token" create-session="stateless" 
    authentication-manager-ref="clientAuthenticationManager" 
    xmlns="http://www.springframework.org/schema/security"> 
    <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" /> 
    <anonymous enabled="false" /> 
    <http-basic entry-point-ref="clientAuthenticationEntryPoint" /> 
    <!-- include this only if you need to authenticate clients via request 
     parameters --> 
    <custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER" /> 
    <access-denied-handler ref="oauthAccessDeniedHandler" /> 
</http> 

<http pattern="/oauth/oauth/token" create-session="stateless" 
    authentication-manager-ref="clientAuthenticationManager" 
    xmlns="http://www.springframework.org/schema/security"> 
    <intercept-url pattern="/oauth/oauth/token" access="IS_AUTHENTICATED_FULLY" /> 
    <anonymous enabled="false" /> 
    <http-basic entry-point-ref="clientAuthenticationEntryPoint" /> 
    <!-- include this only if you need to authenticate clients via request 
     parameters --> 
    <custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER" /> 
    <access-denied-handler ref="oauthAccessDeniedHandler" /> 
</http>

來源

2015-09-16 07:52:09 Rydermark

相關問題

 相關問題