本文介绍了Web服务和用户的Spring安全性的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我们有一个Web应用程序,我们希望使用spring security以两种不同的方式保护它:

We have a web application, and we're want to use spring security to secure it in 2 different ways:

1)使用登录表单进行身份验证的用户并且可以访问某些服务。

1) Users that are authenticate using login form and have access to certain services.

2)使用摘要式身份验证保护的其他服务(用户+密码在请求的标头中传递) - 由其他Web应用程序使用,因此有没有登录表单。

2) Other services that are secured using digest authentication (user + password are passed in the request's header) - used by other webapps so there's no login form.

这些都是自己的,但我们无法让它们在同一个网络应用程序中工作。
当我们尝试使用两个xmls运行webapp时,我们收到以下错误:

Each of these works on it's own, but we weren't able to get them to work in the same web app.When we try to run a webapp with both xmls we get the following error:

A universal match pattern ('/**') is defined  before other patterns in the filter chain, causing them to be ignored. Please check the ordering in your <security:http> namespace or FilterChainProxy bean configuration

用户的security.xml:

The security.xml for users:

<security:http use-expressions="true">
    <security:intercept-url pattern="/user/login"
        access="permitAll" />
    ...
    <security:intercept-url pattern="/**"
        access="isAuthenticated()" />

    <security:form-login
        authentication-success-handler-ref="userAuthenticationSuccessHandler" />

    <security:logout logout-url="/user/logout"
        logout-success-url="/demo/user/logoutSuccess" />
</security:http>

<bean id="bCryptPasswordEncoder"
    class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />

<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider
        ref="authenticationProvider">
    </security:authentication-provider>
</security:authentication-manager>

Web服务的rest-security.xml:

The rest-security.xml for web services:

<security:http create-session="stateless"
    entry-point-ref="digestEntryPoint">
    <security:intercept-url pattern="/provider/**"
        access="ROLE_WEBAPP" />

    <security:http-basic />
    <security:custom-filter ref="digestFilter"
        after="BASIC_AUTH_FILTER" />
</security:http>

<bean id="digestFilter"
    class="org.springframework.security.web.authentication.www.DigestAuthenticationFilter">
    <property name="userDetailsService" ref="webappDetailsServiceImpl" />
    <property name="authenticationEntryPoint" ref="digestEntryPoint" />
</bean>

<bean id="digestEntryPoint"
    class="org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint">
    <property name="realmName" value="Contacts Realm via Digest Authentication" />
    <property name="key" value="acegi" />
</bean>

<security:authentication-manager>
    <security:authentication-provider
        ref="restAuthenticationProvider">
    </security:authentication-provider>
</security:authentication-manager>

有没有人有这种情况的经验?

Does anyone has experiences with this kind of scenario?

推荐答案

我在这里找到了解决方案:

I found the solution here: https://blog.codecentric.de/en/2012/07/spring-security-two-security-realms-in-one-application/

这篇文章详细说明了我想要做的事情。

This post details exactly what I wanted to do.

诀窍似乎是添加 pattern =/ provider / **到其余的http元素。所以正确的rest-security配置是:

The trick seems to be adding pattern="/provider/**" to the rest http element. So the correct rest-security configuration is:

<security:http create-session="stateless"
    entry-point-ref="digestEntryPoint" pattern="/provider/**"
    use-expressions="true">
    <security:intercept-url pattern="/provider/**"
        access="isAuthenticated()" />

    <security:http-basic />
    <security:custom-filter ref="digestFilter"
        after="BASIC_AUTH_FILTER" />
</security:http>

这篇关于Web服务和用户的Spring安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-17 10:05
查看更多