热门文章
 当前位置:技术文章 > 编程面试题 >

Web服务和用户的Spring安全性

问题内容

我们有一个Web应用程序,我们希望使用Spring Security通过2种不同的方式来保护它:

1)使用登录表单进行身份验证并有权访问某些服务的用户。

2)其他使用摘要身份验证保护的服务(用户名和密码在请求的标头中传递)-由其他Web应用程序使用,因此没有登录表单。

这些功能都是单独工作的,但是我们无法让它们在同一Web应用程序中工作。当我们尝试同时使用两个xml运行webapp时,会出现以下错误:

A universal match pattern ('/**') is defined  before other patterns in the filter chain, causing them to be ignored. Please check the ordering in your <security:http> namespace or FilterChainProxy bean configuration

用户的security.xml:

<security:http use-expressions="true">
    <security:intercept-url pattern="/user/login"
        access="permitAll" />
    ...
    <security:intercept-url pattern="/**"
        access="isAuthenticated()" />

    <security:form-login
        authentication-success-handler-ref="userAuthenticationSuccessHandler" />

    <security:logout logout-url="/user/logout"
        logout-success-url="/demo/user/logoutSuccess" />
</security:http>

<bean id="bCryptPasswordEncoder"
    class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />

<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider
        ref="authenticationProvider">
    </security:authentication-provider>
</security:authentication-manager>

Web服务的rest-security.xml:

<security:http create-session="stateless"
    entry-point-ref="digestEntryPoint">
    <security:intercept-url pattern="/provider/**"
        access="ROLE_WEBAPP" />

    <security:http-basic />
    <security:custom-filter ref="digestFilter"
        after="BASIC_AUTH_FILTER" />
</security:http>

<bean id="digestFilter"
    class="org.springframework.security.web.authentication.www.DigestAuthenticationFilter">
    <property name="userDetailsService" ref="webappDetailsServiceImpl" />
    <property name="authenticationEntryPoint" ref="digestEntryPoint" />
</bean>

<bean id="digestEntryPoint"
    class="org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint">
    <property name="realmName" value="Contacts Realm via Digest Authentication" />
    <property name="key" value="acegi" />
</bean>

<security:authentication-manager>
    <security:authentication-provider
        ref="restAuthenticationProvider">
    </security:authentication-provider>
</security:authentication-manager>

有人在这种情况下有经验吗?


问题答案:

我在这里找到了解决方案:https :
//blog.codecentric.de/en/2012/07/spring-security-two-security-realms-in-one-
application/

这篇文章详细介绍了我想做的事情。

技巧似乎是添加pattern="/provider/**"到其余的http元素中。因此,正确的休息安全性配置为:

<security:http create-session="stateless"
    entry-point-ref="digestEntryPoint" pattern="/provider/**"
    use-expressions="true">
    <security:intercept-url pattern="/provider/**"
        access="isAuthenticated()" />

    <security:http-basic />
    <security:custom-filter ref="digestFilter"
        after="BASIC_AUTH_FILTER" />
</security:http>