我正在尝试在我的Spring MVC应用程序中启用Spring Security,该应用程序提供一些REST Web服务(Java 8)。我遇到的问题是无论我做什么,auth根本不起作用。我可以在没有任何凭据的情况下访问我的REST端点。我用这本手册:https://docs.spring.io/spring-security/site/docs/5.0.7.RELEASE/reference/htmlsingle/
我的应用程序的完整代码的Git repo在这里:https://github.com/SP8EBC/MKS_JG_ONLINE
SecurityConfig.java如下所示
@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser(Secret.user).password("{noop}" + Secret.password).roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// http
// .csrf()
// .disable()
// .authorizeRequests().antMatchers("/**").permitAll()
// .anyRequest().authenticated()
// .and()
// .httpBasic()
// .realmName("test")
// .authenticationEntryPoint(new CustomAuthenticationEntryPoint());
http.authorizeRequests().anyRequest().denyAll();
}
}
app config.Java
@Configuration
@Import(SecurityConfig.class)
@EnableWebMvc
@EnableSpringDataWebSupport
@EnableTransactionManagement
@EnableJpaRepositories(basePackages = {"pl.jeleniagora.mks.dao.repository"})
@ComponentScan("pl.jeleniagora.mks")
public class AppConfig{
// beans and app config
}
veb.hml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" id="WebApp_ID" version="3.1">
<display-name>MKS_JG_ONLINE</display-name>
<context-param>
<param-name>contextClass</param-name>
<param-value>
org.springframework.web.context.support.AnnotationConfigWebApplicationContext
</param-value>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>pl.jeleniagora.mks.ws.config</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>rest</servlet-name>
<servlet-class>
org.springframework.web.servlet.DispatcherServlet
</servlet-class>
<init-param>
<param-name>contextClass</param-name>
<param-value>
org.springframework.web.context.support.AnnotationConfigWebApplicationContext
</param-value>
</init-param>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>pl.jeleniagora.mks.ws.controllers</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>rest</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file />
</welcome-file-list>
</web-app>
当我在调试模式下启动Tomcat 8.5时,我看到SecurityConfig加载(执行在configure和configureGlobal中的断点处停止)。我做错了什么?
在安全配置旁边,Spring Security需要注册一个servlet过滤器。
将以下内容添加到您的web.xml(解释here)。
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
这将添加过滤器,并将应用于所有请求。
但是,当您使用最近的servlet容器时,我建议抛弃web.xml并创建2个java类来进行引导。 (另见here)。
首先引导您的应用程序
public class MvcWebApplicationInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
@Override
public Class<?>[] getServletConfigClasses() {
return new Class[] { WebConfig.class }; // or whatever it is called or return `null`
}
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class[] { AppConfig.class };
}
}
然后添加bootstraps /配置Spring Security过滤器的那个
public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer { }
现在一切都是用Java配置的,你可以不用你的web.xml。