2
你好,我需要擁有與Spring Security一起處理的靜態資源,並且我希望它仍然保持靜態,因爲它沒有與DispatcherServlet一起處理。我有一個文件夾保留給非安全資源,一個文件夾保護資源。直到我從資源處理程序中排除/res/secured,我才能完成這項工作。但是,如果我這樣做,安全資源處理與DispatcherServlet,我認爲是不正確的(也許我錯了? - >後解釋或鏈接)。使用彈簧安全處理靜態資源
我的配置:
/*--- Directories structure ---*/
res
|-- nonsecured
|-- secured
/*--- /Directories structure ---*/
/*--- WebApplicationInitializer ---*/
Dynamic portalSecurityFilter = servletContext.addFilter("portalSecurityFilter", new PortalSecurityFilter());
portalSecurityFilter.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), false, "/*");
// Spring Security filtr
Dynamic securityFilter = servletContext.addFilter("springSecurityFilterChain", DelegatingFilterProxy.class);
securityFilter.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), false, "/*");
CharacterEncodingFilter characterEncodingFilter = new CharacterEncodingFilter();
characterEncodingFilter.setEncoding("UTF-8");
Dynamic dynamicCharacterEncodingFilter = servletContext.addFilter("characterEncodingFilter", characterEncodingFilter);
dynamicCharacterEncodingFilter.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), false, "/*");
Dynamic ajaxFilter = servletContext.addFilter("ajaxFilter", new AjaxFilter());
ajaxFilter.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), false, "/*");
// Root context
AnnotationConfigWebApplicationContext rootContext = new AnnotationConfigWebApplicationContext();
rootContext.register(WebConfig.class);
// Dispatcher servlet
ServletRegistration.Dynamic dispatcherServlet = servletContext.addServlet("dispatcherServlet", new DispatcherServlet(rootContext));
dispatcherServlet.setLoadOnStartup(1);
dispatcherServlet.addMapping("/");
servletContext.addListener(new ContextLoaderListener(rootContext));
/*--- /WebApplicationInitializer ---*/
/*--- Web configuration part ---*/
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
super.addResourceHandlers(registry);
registry.addResourceHandler("/res/**").addResourceLocations("/WEB-INF/res/");
}
/*--- /Web configuration part ---*/
/*--- Spring Security confogiration part ---*/
<http pattern="/res/unsecured/**" security="none" />
<http pattern="/**" use-expressions="true" authentication-manager-ref="myAuthenticationManager">
<intercept-url pattern="/res/secured/**" access="hasRole('ROLE_USER_AUTHENTICATED')" />
<intercept-url pattern="/**" access="permitAll" />
</http>
/*--- /Spring Security confogiration part ---*/
謝謝您的回答。
編輯
正如我玩弄它在我看來,
<http pattern="/res/unsecured/**" security="none" />部分安全配置 是沒有意義的,因爲資源 處理服務資源不通過Spring Security的過濾器鏈。我是否缺少 的東西或者是我的配置錯誤?
請從web.xml中發佈DispatcherServlet和spring安全篩選器鏈(DelegatingFilterProxy)的URL模式。 –
嗨Maksym我使用web.xml更少的配置風格,所以我會把它放在那裏,但總的來說'DelegatingFilterProxy'映射到「/ *」和'DispatcherServlet'到「/」。 –
嘗試爲你的模式添加**:addResourceLocations(「/ WEB-INF/res/**」) –