如何使用Spring Security保护混合Spring MVC + Flex应用程序
问题内容:
我尝试在Spring论坛(http://forum.springsource.org/showthread.php?109948-Problem-
configuring-spring-security-3.1-with-hybrid-Spring-MVC-Flex-
application
)上问这个问题,但没有得到回应。
我正在使用一个Web应用程序,该应用程序具有在Flex中构建的(最终用户)用户界面和使用Spring
MVC构建的管理用户界面。我正在尝试保护两个接口的安全,并且可以使每个接口分别工作,但不能一起工作。
我正在使用带有Spring Security 3.1RC1和Spring 3.1M1的spring-flex-core 1.5.0的快照构建
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- All Spring Security related configuration goes here -->
<security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/>
<security:http pattern="/messagebroker/**" entry-point-ref="entryPoint">
<security:anonymous enabled="false"/>
</security:http>
<bean id="entryPoint" class="org.springframework.flex.security3.FlexAuthenticationEntryPoint"/>
<security:http pattern="/favicon.ico" security="none"/>
<security:http pattern="/login*" security="none"/>
<security:http pattern="/logoutSuccess*" security="none"/>
<security:http pattern="/apollo/css/**" security="none"/>
<security:http pattern="/apollo/js/**" security="none"/>
<security:http pattern="/apollo/img/**" security="none"/>
<security:http pattern="/common/css/**" security="none"/>
<security:http pattern="/common/js/**" security="none"/>
<security:http pattern="/common/img/**" security="none"/>
<security:http pattern="/MoneyManager.swf" security="none"/>
<security:http pattern="/assets/**" security="none"/>
<security:http pattern="/index.jsp" security="none"/>
<security:http servlet-api-provision="true">
<security:intercept-url pattern="/cms/*" access="ROLE_ADMIN"/>
<security:intercept-url pattern="/cms/users/*" access="ROLE_ADMIN,ROLE_USER_MANAGER"/>
<security:intercept-url pattern="/cms/content/*" access="ROLE_ADMIN,ROLE_CONTENT_MANAGER"/>
<security:intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" />
<security:form-login login-page="/login.html" default-target-url="/home.html"
always-use-default-target="false" authentication-failure-url="/login.html"/>
<security:remember-me/>
<security:logout logout-url="/logout" logout-success-url="/default.html" />
</security:http>
<bean id="successfulLogInListener" class="uk.co.ecube.web.security.SuccessfulLogInListener"/>
<bean id="failedLogInListener" class="uk.co.ecube.web.security.FailedLogInListener"/>
<security:authentication-manager>
<security:authentication-provider user-service-ref='userService'/>
</security:authentication-manager>
</beans>
如果我仅包含第一个http标记而不包含pattern属性,则flex
UI似乎可以使用Spring安全性成功进行身份验证。但是,如果我包含所有<http>标签,则根据是否使用,会出现两个错误之一
<security:http entry-point-ref="entryPoint">
<security:anonymous enabled="false"/>
</security:http>
这使
SEVERE: Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: The filter chain map already contains this request matcher [Root bean: class [org.springframework.security.web.util.AnyRequestMatcher]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null]. If you are using multiple <http> namespace elements, you must use a 'pattern' attribute to define the request patterns to which they apply.
要么
<security:http pattern="/messagebroker/**" entry-point-ref="entryPoint">
<security:anonymous enabled="false"/>
</security:http>
导致
SEVERE: Servlet /apollo threw load() exception
org.springframework.beans.factory.NoSuchBeanDefinitionException: No unique bean of type [org.springframework.security.web.authentication.session.SessionAuthenticationStrategy] is defined: expected single matching bean but found 2: [org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy#0, org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy#1]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:796)
我显然缺少一些东西,但是,尽管Spring Flex文档描述了如何在servlet级别配置混合MVC +
Flex应用程序,但它似乎仅从仅Flex应用程序的角度考虑了安全性。
谁能说出我在做什么错?
谢谢
戴夫
问题答案:
在处理同一问题之前,我使用过的一件事是拥有2个单独的DispatcherServlet:
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>flex</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>flex</servlet-name>
<url-pattern>/messagebroker/*</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>spring-mvc</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring-mvc</servlet-name>
<url-pattern>/spring/*</url-pattern>
</servlet-mapping>
您还需要通过将MVC路径修改为以下内容来更新安全配置: /spring/...
我几乎可以肯定,当您使用SpringDS而不是BlazeDS时,这不是最佳解决方案。必须有一个更好的方法!
您也可以尝试删除:
<security:http pattern="/messagebroker/**" entry-point-ref="entryPoint">
<security:anonymous enabled="false"/>
</security:http>
而不是尝试使用此:
<flex:message-broker mapping-order="1">
<flex:mapping pattern="/messagebroker/*"/>
<flex:message-service default-channels="amf, polling-amf, longpolling-amf" />
<flex:secured>
<flex:secured-channel channel="amf" access="ROLE_SOME_ROLE" />
</flex:secured>
</flex:message-broker>
请记住,身份验证应通过Flex客户端上的channelSet完成!
