支持基於Hippo CMS的多個子網站的Spring Security配置

Question

我正嘗試使用基於hippo cms插件的spring安全性。我在裏面創建了每個登錄的hippo 3子網站。我應該如何配置spring-security-context.xml以支持多個子網站？所有子網站將使用相同的認證提供者。直到現在我已經配置了其中一個子網站。

<beans:beans xmlns="http://www.springframework.org/schema/security" 
        xmlns:beans="http://www.springframework.org/schema/beans" 
        xmlns:lang="http://www.springframework.org/schema/lang" 
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
        xmlns:util="http://www.springframework.org/schema/util" 
        xmlns:aop="http://www.springframework.org/schema/aop" 
        xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd 
         http://www.springframework.org/schema/lang http://www.springframework.org/schema/beans/spring-lang-3.1.xsd 
         http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd 
         http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd 
         http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> 

<!-- HTTP Security Configuration --> 

<!-- HTTP Security Configuration --> 
<http auto-config="true"> 
    <intercept-url pattern="/css/**" /> 
    <intercept-url pattern="/images/**" /> 
    <intercept-url pattern="/binaries/**" /> 
    <intercept-url pattern="/vop/**" access="IS_AUTHENTICATED_ANONYMOUSLY, ROLE_everybody" /> 
    <form-login login-page="/vop" 
          default-target-url="/vop/vop-mysurvey-page" 
          always-use-default-target="true" /> 
    <logout logout-url="/logout.jsp" logout-success-url="/vop"/> 
</http> 
<!-- 
    Authentication Manager configuration with Hippo Repository based Authentication Provider configuration ('hippoAuthenticationProvider'). 
    However, you can use any other authentication provider(s) if you don't need to authenticate users against Hippo Repository. 
--> 
<authentication-manager> 
    <authentication-provider ref="hippoAuthenticationProvider"/> 
</authentication-manager> 

<!-- 
    Hippo Repository based Authentication Provider. This Authentication Provider provide authentication against Hippo Repository Security Store. 
    If you don't need to authenticate users against Hippo Repository, you don't have to include the following bean. 
--> 
<beans:bean id="hippoAuthenticationProvider" 
         class="org.onehippo.forge.security.support.springsecurity.authentication.HippoAuthenticationProvider"> 
</beans:bean> 

例如，我想有也<http auto-config="true"> <intercept-url pattern="/css/**" /> <intercept-url pattern="/images/**" /> <intercept-url pattern="/binaries/**" /> <intercept-url pattern="/erop/**" access="IS_AUTHENTICATED_ANONYMOUSLY, ROLE_everybody" /> <form-login login-page="/erop" default-target-url="/erop/mypage" always-use-default-target="true" /> <logout logout-url="/logout.jsp" logout-success-url="/erop"/> </http>

什麼想法？

Answer 1

Spring安全支持保護多個子網站。配置取決於您的子網站，不管它們是否使用單獨的主機名。

當你的子網站在相同的主機名來運行，你可以這樣配置它：

<http pattern="/vop/**" ... > 
    ... 
</http> 

<http pattern="/erop/**" ... > 
    ... 
</http> 

但是，如果你的子網站上不同的主機名運行，這可能是因爲URL模式重疊。在這種情況下，您需要按主機名過濾，例如：

<bean id="vopMatcher" class="org.springframework.security.web.util.ELRequestMatcher"> 
    <constructor-arg value="hasHeader('host','vop.com')"/> 
</bean> 

<bean id="eropMatcher" class="org.springframework.security.web.util.ELRequestMatcher"> 
    <constructor-arg value="hasHeader('host','erop.com')"/> 
</bean> 

<http request-matcher-ref ="vopMatcher" ... > 
    ... 
</http> 

<http request-matcher-ref ="eropMatcher" ... > 
    ... 
</http> 

Answer 2

據我所知，Spring安全框架基於servlet過濾器，其配置似乎與Web應用程序上下文綁定在一起。正因爲如此，我認爲您目前不能在單個Web應用程序上下文中託管多個Spring安全上下文。