我有一个Spring MVC应用程序,我希望将Spring Security与Spring(Spring 3.0.x)集成 .
web.xml包含:
<context-param>
<description>Context Configuration locations for Spring XML files</description>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath*:spring/spring-model.xml
classpath*:spring/spring-compiler.xml
classpath*:spring/spring-ui.xml
classpath*:spring/spring-security.xml
</param-value>
</context-param>
<listener>
<description><![CDATA[
Loads the root application context of this web app at startup, use
contextConfigLocation paramters defined above or by default use "/WEB-INF/applicationContext.xml".
- Note that you need to fall back to Spring's ContextLoaderServlet for
- J2EE servers that do not follow the Servlet 2.4 initialization order.
Use WebApplicationContextUtils.getWebApplicationContext(servletContext) to access it anywhere in the web application, outside of the framework.
The root context is the parent of all servlet-specific contexts.
This means that its beans are automatically available in these child contexts,
both for getBean(name) calls and (external) bean references.
]]></description>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<description>Configuration for the Spring MVC webapp servlet</description>
<servlet-name>springmvc</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath*:spring/spring-mvc.xml</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>springmvc</servlet-name>
<url-pattern>/app/*</url-pattern>
</servlet-mapping>
我想添加基于角色的安全性,以便用户无法访问网站的某些部分 .
例如用户应具有 CRICKET_USER 角色才能访问 http://example.com/sports/cricket ,角色 FOOTBALL_USER 可以访问 http://example.com/sports/football .
应用程序中的URI保留此层次结构,因此可能存在 http://example.com/sports/football/leagues/premiership 等资源,类似地要求用户具有角色 FOOTBALL_USER .
我有一个像这样的控制器:
@Controller("sportsController")
@RequestMapping("/sports/{sportName}")
public class SportsController {
@RequestMapping("")
public String index(@PathVariable("sportName") Sport sport, Model model) {
model.addAttribute("sport", sport);
return "sports/index";
}
}
我一直在努力使用最惯用,最明显的方式来满足这个要求,但我不确定我是否已找到它 . 我尝试了4种不同的方法 .
@PreAuthorize注释
我试图在该控制器上的每个@RequestMapping方法上使用 @PreAuthorize("hasRole(#sportName.toUpperCase() + '_USER')") (以及在层次结构中进一步处理URI请求的其他控制器 . 我似乎没有做任何事情 .
坏点:
-
不起作用?
-
@Controller上的方法级注释,而不是类级别 . 那不是很干 . 如果添加更多功能并且有人忘记将注释添加到新代码,则可能会留下安全漏洞 . -
我无法为它编写测试 .
Spring Security链中的Intercept-url
<http use-expressions="true">
<!-- note that the order of these filters are significant -->
<intercept-url pattern="/app/sports/**" access="hasRole(#sportName.toUpperCase() + '_USER')" />
<form-login always-use-default-target="false"
authentication-failure-url="/login/" default-target-url="/"
login-page="/login/" login-processing-url="/app/logincheck"/>
<!-- This action catch the error message and make it available to the view -->
<anonymous/>
<http-basic/>
<access-denied-handler error-page="/app/login/accessdenied"/>
<logout logout-success-url="/login/" logout-url="/app/logout"/>
</http>
这感觉它应该工作,对其他开发人员来说,它正在做什么是显而易见的但是我没有成功使用这种方法 . 我采用这种方法唯一的痛点就是无法编写一个测试标记问题,如果事情发生变化 .
java.lang.IllegalArgumentException: Failed to evaluate expression 'hasRole(#sportName.toUpper() + '_USER')'
at org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:13)
at org.springframework.security.web.access.expression.WebExpressionVoter.vote(WebExpressionVoter.java:34)
...
Caused by:
org.springframework.expression.spel.SpelEvaluationException: EL1011E:(pos 17): Method call: Attempted to call method toUpper() on null context object
at org.springframework.expression.spel.ast.MethodReference.getValueInternal(MethodReference.java:69)
at org.springframework.expression.spel.ast.CompoundExpression.getValueInternal(CompoundExpression.java:57)
Spring Security链中的标准过滤器 .
public class SportAuthorisationFilter extends GenericFilterBean {
/**
* {@inheritDoc}
*/
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
String pathInfo = httpRequest.getPathInfo();
/* This assumes that the servlet is coming off the /app/ context and sports are served off /sports/ */
if (pathInfo.startsWith("/sports/")) {
String sportName = httpRequest.getPathInfo().split("/")[2];
List<String> roles = SpringSecurityContext.getRoles();
if (!roles.contains(sportName.toUpperCase() + "_USER")) {
throw new AccessDeniedException(SpringSecurityContext.getUsername()
+ "is not permitted to access sport " + sportName);
}
}
chain.doFilter(request, response);
}
}
和:
<http use-expressions="true">
<!-- note that the order of these filters are significant -->
<!--
Custom filter for /app/sports/** requests. We wish to restrict access to those resources to users who have the
{SPORTNAME}_USER role.
-->
<custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="sportsAuthFilter"/>
<form-login always-use-default-target="false"
authentication-failure-url="/login/" default-target-url="/"
login-page="/login/" login-processing-url="/app/logincheck"/>
<!-- This action catch the error message and make it available to the view -->
<anonymous/>
<http-basic/>
<access-denied-handler error-page="/app/login/accessdenied"/>
<logout logout-success-url="/login/" logout-url="/app/logout"/>
</http>
<beans:bean id="sportsAuthFilter" class="com.example.web.controller.security.SportsAuthorisationFilter" />
加点:
- 这很有效
坏点:
-
没有测试 .
-
如果我们的应用程序URI结构发生变化,则可能很脆弱 .
-
对于改变代码的下一个人来说并不明显 .
在@PathVariable使用的Formatter实现中验证
@Component
public class SportFormatter implements DiscoverableFormatter<Sport> {
@Autowired
private SportService SportService;
public Class<Sport> getTarget() {
return Sport.class;
}
public String print(Sport sport, Locale locale) {
if (sport == null) {
return "";
}
return sport.getName();
}
public Sport parse(String text, Locale locale) throws ParseException {
Sport sport;
if (text == null || text.isEmpty()) {
return new Sport();
}
if (NumberUtils.isNumber(text)) {
sport = sportService.getByPrimaryKey(new Long(text));
} else {
Sport example = new Sport();
example.setName(text);
sport = sportService.findUnique(example);
}
if (sport != null) {
List<String> roles = SpringSecurityContext.getRoles();
if (!roles.contains(sportName.toUpperCase() + "_USER")) {
throw new AccessDeniedException(SpringSecurityContext.getUsername()
+ "is not permitted to access sport " + sportName);
}
}
return sport != null ? sport : new Sport();
}
}
加点:
- 这很有效 .
坏点:
-
这是否依赖于具有检索Sport实例的@PathVariable的控制器中的每个@RequestMapping带注释的方法?
-
没有测试 .
请指出我遗漏的精细手册的哪一部分 .
2 回答
而不是
#sportName.toUpper()你需要使用#sport.name.toUpper()之类的东西,因为@PreAuthorize中的#...变量引用了方法参数:See also:
我也找到了解决方案,使用:
希望它能帮到你 .