Spring Security 3.1.4 taglib授权/身份验证不适用于Tomcat 7上的JSF 2.2中的角色层次结构 [英] Spring Security 3.1.4 taglib authorize/authentication are not working with role hierarchy in JSF 2.2 on Tomcat 7
问题描述
roleHeirarchies会考虑到通过http名称空间定义为拦截URL的Web安全表达式,而使用JSP Authorize标签库的表达式则没有考虑.
我已经读了很多东西... ref2 ref3 ref5 此,然后尝试<一个href ="http://doanduyhai.wordpress.com/2012/02/26/spring-security-part-v-security-tags/" rel ="nofollow noreferrer">那没有成功
:我尝试通过Maven spring-faces 2.3.2和spring-security-taglibs安装...什么都没有发生...有些tuto说创建一个自定义taglib.xml,但它也无法正常工作,我认为它适用于旧版本...
我测试了这个facesContext.externalContext.isUserInRole('ROLE')和sec:authorize access ="hasRole('Role')...第一个仅在它是相同的ROLE时起作用,但它没有考虑层次结构的内容. ..还有第二个:autorize只是什么都不做,所有角色都被打印出来了.
请参见上面的示例,其中具有ROLE ROLE_ADMIN_PROFILER_NGS的用户:
<h:outputText rendered="#{facesContext.externalContext.isUserInRole('ROLE_ADMIN_PROFILER_NGS')}" value ="ROLE_ADMIN_PROFILER_NGS"></h:outputText> // WORKS <br></br>
<h:outputText rendered="#{facesContext.externalContext.isUserInRole('ROLE_GUEST')}" value ="ROLE_GUEST"></h:outputText> // SHOULD APPEAR BUT NOTHING HAPPENS<br></br>
<h:outputText rendered="#{facesContext.externalContext.isUserInRole('ROLE_ADMIN')}" value ="ROLE_ADMIN"> // SHOULD NOT APPEAR AND THAT'S THE CASE</h:outputText><br></br>
/* ALL THE THREE NEXT ARE DISPLAYED WHITHOUT CONTROL AUTORIZATION.*/
<sec:authorize access="hasRole('ROLE_ADMIN_PROFILER_NGS')">ROLE_ADMIN_PROFILER_NGS<br></br></sec:authorize>
<sec:authorize access="hasRole('ROLE_GUEST')">ROLE_GUEST <br></br></sec:authorize>
<sec:authorize access="hasRole('ROLE_ADMIN')">ROLE_ADMIN <br></br></sec:authorize>
这是我尝试通过角色层次结构进行测试的地方:
当用户仅带有角色GUEST时...将显示所有标签...它们不会出现,仅应显示GUEST(参见底部的cf定义):
<sec:authentication property="username" />
<sec:authorize access="hasRole('ROLE_BABAB')">BABA</sec:authorize>
<sec:authorize access="hasRole('ROLE_GUEST')">GUEST</sec:authorize>
<sec:authorize access="hasRole('ROLE_ADMIN')">ADMIN</sec:authorize>
这是我的安全配置:
<security:http auto-config="true" access-decision-manager-ref="accessDecisionManager" use-expressions="true" disable-url-rewriting="true">
<security:intercept-url pattern="/Participant/New/*" access="hasRole('ROLE_ADMIN')" />
<security:intercept-url pattern="/Home" access="hasRole('ROLE_GUEST')" />
<security:intercept-url pattern="/Login" access="hasRole('ROLE_ANONYMOUS')" />
<security:intercept-url pattern="/Login/Error" access="hasRole('ROLE_ANONYMOUS')" />
<security:form-login login-page="/Login" login-processing-url="/j_spring_security_check" authentication-failure-url="/Login/Error" default-target-url="/Home" />
<security:logout logout-url="/j_spring_security_logout" logout-success-url="/Home" delete-cookies="JSESSIONID" invalidate-session="true"/>
<security:anonymous/>
<security:expression-handler ref="defaultWebSecurityExpressionHandler" />
<security:session-management invalid-session-url="/Login" >
<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</security:session-management>
<security:port-mappings>
<security:port-mapping http="8086" https="8443"/>
</security:port-mappings>
</security:http>
<beans:bean id="defaultWebSecurityExpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
<beans:property name="roleHierarchy" ref="roleHierarchy"/>
</beans:bean>
<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<beans:property name="decisionVoters">
<beans:list>
<beans:ref bean="roleVoter" />
<beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
<beans:property name="expressionHandler" ref="defaultWebSecurityExpressionHandler"/>
</beans:bean>
<beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id="roleVoter" class="org.springframework.security.access.vote.RoleHierarchyVoter">
<beans:constructor-arg ref="roleHierarchy" />
</beans:bean>
<beans:bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
<beans:property name="hierarchy">
<beans:value>
ROLE_ADMIN > ROLE_ADMIN_PROFILER_NGS
ROLE_ADMIN_PROFILER_NGS > ROLE_GUEST
ROLE_GUEST > ROLE_GUEST_PROFILER_NGS
ROLE_ADMIN > ROLE_ADMIN_PROFILER_CGH
ROLE_ADMIN_PROFILER_CGH > ROLE_GUEST
ROLE_GUEST > ROLE_GUEST_PROFILER_CGH
</beans:value>
</beans:property>
</beans:bean>
非常感谢,如果您有其他想法可以测试...
为什么对于RoleHierarchyVoter返回0,对于WebExpressionVoter返回1 ...这正常吗?
14:48:32,861调试FilterSecurityInterceptor:194-安全对象:FilterInvocation:URL:/Home;属性:[hasRole('ROLE_GUEST')] 14:48:32,861 DEBUG FilterSecurityInterceptor:310-先前已认证:org.springframework.security.authentication.UsernamePasswordAuthenticationToken@43a64f5f:主体:com.clb.genomic.lyon.model.User@d46:用户名:jp;密码保护];启用:true; AccountNonExpired:true; certificateNonExpired:true; AccountNonLocked:true;授予的权限:ROLE_ADMIN_PROFILER_NGS;凭证:[受保护];已验证:true;详细信息:org.springframework.security.web.authentication.WebAuthenticationDetails@0:RemoteIpAddress:192.168.154.18;会话ID:084939D4E097F41ACA6A1F24CD8390BE;授予的权限:ROLE_ADMIN_PROFILER_NGS 14:48:32,861调试RoleHierarchyImpl:117-getReachableGrantedAuthorities()-从角色[ROLE_ADMIN_PROFILER_NGS]中,一个可以达到[ROLE_GUEST_PROFILER_NGS,ROLE_GUEST_PROFILER_CGH,ROLE_ADMIN_PROFILER_ESTS,零个或多个步骤. 14:48:32,861 DEBUG AffirmativeBased:65-选民:org.springframework.security.access.vote.RoleHierarchyVoter@6ff43d69,返回:0 14:48:32,862调试RoleHierarchyImpl:117-getReachableGrantedAuthorities()-从角色[ROLE_ADMIN_PROFILER_NGS]中,一个可以达到[ROLE_GUEST_PROFILER_NGS,ROLE_GUEST_PROFILER_CGH,ROLE_ADMIN_PROFILER_ESTS,零个或多个步骤. 14:48:32,862 DEBUG AffirmativeBased:65-选民:org.springframework.security.web.access.expression.WebExpressionVoter@3fe932d5,返回:1 14:48:32,862调试FilterSecurityInterceptor:215-授权成功
<beans:bean id="login" class="com.clb.genomic.lyon.beans.LoginBean" scope ="session">
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
> <security:authentication-manager alias="authenticationManager">
> <security:authentication-provider user-service-ref="userBo" >
> <security:password-encoder ref="standardPasswordEncoder"/>
> </security:authentication-provider>
> </security:authentication-manager>
要在所有正确的位置设置RoleHiearchy可能会非常具有挑战性. Spring WebFlow当前重新实现了许多功能(即它重新实现了标签库,而不是扩展了来自Spring Security的基本标签),因此这种方法不太可能有效.
与JSF无缝配合的另一种方法是创建RoleHierarchyAuthoritiesMapper并将其插入到AuthenticationProvider中.例如,以下配置应为您提供所需的层次结构.
<security:http auto-config="true"
use-expressions="true"
disable-url-rewriting="true">
<security:intercept-url pattern="/Participant/New/*"
access="hasRole('ROLE_ADMIN')" />
<security:intercept-url pattern="/Home"
access="hasRole('ROLE_GUEST')" />
<security:intercept-url pattern="/Login"
access="hasRole('ROLE_ANONYMOUS')" />
<security:intercept-url pattern="/Login/Error"
access="hasRole('ROLE_ANONYMOUS')" />
<security:form-login login-page="/Login"
login-processing-url="/j_spring_security_check"
authentication-failure-url="/Login/Error" default-target-url="/Home" />
<security:logout logout-url="/j_spring_security_logout"
logout-success-url="/Home" delete-cookies="JSESSIONID"
invalidate-session="true" />
<security:anonymous />
<security:session-management invalid-session-url="/Login">
<security:concurrency-control max-sessions="1"
error-if-maximum-exceeded="true" />
</security:session-management>
<security:port-mappings>
<security:port-mapping http="8086" https="8443" />
</security:port-mappings>
</security:http>
<beans:bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService"/>
<beans:property name="authoritiesMapper">
<beans:bean class="org.springframework.security.access.hierarchicalroles.RoleHierarchyAuthoritiesMapper">
<beans:constructor-arg ref="roleHierarchy"/>
</beans:bean>
</beans:property>
<beans:property name="passwordEncoder">
<beans:bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"/>
</beans:property>
</beans:bean>
<beans:bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
<beans:property name="hierarchy">
<beans:value>
ROLE_ADMIN > ROLE_ADMIN_PROFILER_NGS
ROLE_ADMIN_PROFILER_NGS > ROLE_GUEST
ROLE_GUEST > ROLE_GUEST_PROFILER_NGS
ROLE_ADMIN > ROLE_ADMIN_PROFILER_CGH
ROLE_ADMIN_PROFILER_CGH > ROLE_GUEST
ROLE_GUEST > ROLE_GUEST_PROFILER_CGH
</beans:value>
</beans:property>
</beans:bean>
<security:user-service id="userDetailsService">
<security:user name="joe" password="bf403351dfb2ae819874163aff25a49c"
authorities="ROLE_ADMIN" />
<security:user name="pete" password="5d2ea1f70185e4357183bb9c00187219"
authorities="ROLE_ADMIN_PROFILER_CGH" />
</security:user-service>
另外一些要点是,我们不再需要以下bean:
- accessDecisionManager
- defaultWebSecurityExpressionHandler
- roleVoter
The roleHeirarchies are taken into account for Web Security Expressions defined as intercept URLs via the http namespace but not in expressions using the JSP Authorize taglib.
I read a lot of stuffs already... ref1 ref2 ref3 ref4 ref5 ref6
****EDIT:**** Ref1 and Ref6 mention stuffs about a problem with filters order and security context not available in jsp...(by the way,i'm using jsf2) maybe there is something to dig ...
EDIT 2: Is JSF handling security tag lib ? I read this and try that with no sucess
EDIT 3 : : I tried to install via Maven spring-faces 2.3.2 and spring-security-taglibs...nothing happens...Some tuto said to create a custom taglib.xml but it didn't work too , i think it was for older version...
I tested this facesContext.externalContext.isUserInRole('ROLE') and sec:authorize access="hasRole('Role')... The first works only if it's the same ROLE but it's no taking account the hierarchy stuff... And sec: autorize simply do nothing, all the roles are printed.
See the example above whith a user with ROLE ROLE_ADMIN_PROFILER_NGS :
<h:outputText rendered="#{facesContext.externalContext.isUserInRole('ROLE_ADMIN_PROFILER_NGS')}" value ="ROLE_ADMIN_PROFILER_NGS"></h:outputText> // WORKS <br></br>
<h:outputText rendered="#{facesContext.externalContext.isUserInRole('ROLE_GUEST')}" value ="ROLE_GUEST"></h:outputText> // SHOULD APPEAR BUT NOTHING HAPPENS<br></br>
<h:outputText rendered="#{facesContext.externalContext.isUserInRole('ROLE_ADMIN')}" value ="ROLE_ADMIN"> // SHOULD NOT APPEAR AND THAT'S THE CASE</h:outputText><br></br>
/* ALL THE THREE NEXT ARE DISPLAYED WHITHOUT CONTROL AUTORIZATION.*/
<sec:authorize access="hasRole('ROLE_ADMIN_PROFILER_NGS')">ROLE_ADMIN_PROFILER_NGS<br></br></sec:authorize>
<sec:authorize access="hasRole('ROLE_GUEST')">ROLE_GUEST <br></br></sec:authorize>
<sec:authorize access="hasRole('ROLE_ADMIN')">ROLE_ADMIN <br></br></sec:authorize>
This is what I tried to access for testing with the role hierachies stuff :
When a User comes only with a Role GUEST...All the tag are showed...they souldn't appear, only GUEST (cf definition at bottom )should appear :
<sec:authentication property="username" />
<sec:authorize access="hasRole('ROLE_BABAB')">BABA</sec:authorize>
<sec:authorize access="hasRole('ROLE_GUEST')">GUEST</sec:authorize>
<sec:authorize access="hasRole('ROLE_ADMIN')">ADMIN</sec:authorize>
This is my security configuration :
<security:http auto-config="true" access-decision-manager-ref="accessDecisionManager" use-expressions="true" disable-url-rewriting="true">
<security:intercept-url pattern="/Participant/New/*" access="hasRole('ROLE_ADMIN')" />
<security:intercept-url pattern="/Home" access="hasRole('ROLE_GUEST')" />
<security:intercept-url pattern="/Login" access="hasRole('ROLE_ANONYMOUS')" />
<security:intercept-url pattern="/Login/Error" access="hasRole('ROLE_ANONYMOUS')" />
<security:form-login login-page="/Login" login-processing-url="/j_spring_security_check" authentication-failure-url="/Login/Error" default-target-url="/Home" />
<security:logout logout-url="/j_spring_security_logout" logout-success-url="/Home" delete-cookies="JSESSIONID" invalidate-session="true"/>
<security:anonymous/>
<security:expression-handler ref="defaultWebSecurityExpressionHandler" />
<security:session-management invalid-session-url="/Login" >
<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</security:session-management>
<security:port-mappings>
<security:port-mapping http="8086" https="8443"/>
</security:port-mappings>
</security:http>
<beans:bean id="defaultWebSecurityExpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
<beans:property name="roleHierarchy" ref="roleHierarchy"/>
</beans:bean>
<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<beans:property name="decisionVoters">
<beans:list>
<beans:ref bean="roleVoter" />
<beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
<beans:property name="expressionHandler" ref="defaultWebSecurityExpressionHandler"/>
</beans:bean>
<beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id="roleVoter" class="org.springframework.security.access.vote.RoleHierarchyVoter">
<beans:constructor-arg ref="roleHierarchy" />
</beans:bean>
<beans:bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
<beans:property name="hierarchy">
<beans:value>
ROLE_ADMIN > ROLE_ADMIN_PROFILER_NGS
ROLE_ADMIN_PROFILER_NGS > ROLE_GUEST
ROLE_GUEST > ROLE_GUEST_PROFILER_NGS
ROLE_ADMIN > ROLE_ADMIN_PROFILER_CGH
ROLE_ADMIN_PROFILER_CGH > ROLE_GUEST
ROLE_GUEST > ROLE_GUEST_PROFILER_CGH
</beans:value>
</beans:property>
</beans:bean>
Thanks a lot , you are welcome if you have an other idea to test...
EDIT 3:
Why does it return 0 for RoleHierarchyVoter and 1 for WebExpressionVoter...is it normal ?
14:48:32,861 DEBUG FilterSecurityInterceptor:194 - Secure object: FilterInvocation: URL: /Home; Attributes: [hasRole('ROLE_GUEST')] 14:48:32,861 DEBUG FilterSecurityInterceptor:310 - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@43a64f5f: Principal: com.clb.genomic.lyon.model.User@d46: Username: jp; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN_PROFILER_NGS; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 192.168.154.18; SessionId: 084939D4E097F41ACA6A1F24CD8390BE; Granted Authorities: ROLE_ADMIN_PROFILER_NGS 14:48:32,861 DEBUG RoleHierarchyImpl:117 - getReachableGrantedAuthorities() - From the roles [ROLE_ADMIN_PROFILER_NGS] one can reach [ROLE_GUEST_PROFILER_NGS, ROLE_GUEST_PROFILER_CGH, ROLE_ADMIN_PROFILER_NGS, ROLE_GUEST] in zero or more steps. 14:48:32,861 DEBUG AffirmativeBased:65 - Voter: org.springframework.security.access.vote.RoleHierarchyVoter@6ff43d69, returned: 0 14:48:32,862 DEBUG RoleHierarchyImpl:117 - getReachableGrantedAuthorities() - From the roles [ROLE_ADMIN_PROFILER_NGS] one can reach [ROLE_GUEST_PROFILER_NGS, ROLE_GUEST_PROFILER_CGH, ROLE_ADMIN_PROFILER_NGS, ROLE_GUEST] in zero or more steps. 14:48:32,862 DEBUG AffirmativeBased:65 - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@3fe932d5, returned: 1 14:48:32,862 DEBUG FilterSecurityInterceptor:215 - Authorization successful
EDIT 5 :
<beans:bean id="login" class="com.clb.genomic.lyon.beans.LoginBean" scope ="session">
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
> <security:authentication-manager alias="authenticationManager">
> <security:authentication-provider user-service-ref="userBo" >
> <security:password-encoder ref="standardPasswordEncoder"/>
> </security:authentication-provider>
> </security:authentication-manager>
It can be quite challenging to get the RoleHiearchy set in all the correct places. Spring WebFlow currently re-implements a number of features (i.e. it reimplements the taglibs rather than extending from Spring Security's base tag) so this approach is unlikely to work.
A different approach that will work seamlessly with JSF is is to create a RoleHierarchyAuthoritiesMapper and plug it into your AuthenticationProvider. For example, the following configuration should give you the hierarchy you are looking for.
<security:http auto-config="true"
use-expressions="true"
disable-url-rewriting="true">
<security:intercept-url pattern="/Participant/New/*"
access="hasRole('ROLE_ADMIN')" />
<security:intercept-url pattern="/Home"
access="hasRole('ROLE_GUEST')" />
<security:intercept-url pattern="/Login"
access="hasRole('ROLE_ANONYMOUS')" />
<security:intercept-url pattern="/Login/Error"
access="hasRole('ROLE_ANONYMOUS')" />
<security:form-login login-page="/Login"
login-processing-url="/j_spring_security_check"
authentication-failure-url="/Login/Error" default-target-url="/Home" />
<security:logout logout-url="/j_spring_security_logout"
logout-success-url="/Home" delete-cookies="JSESSIONID"
invalidate-session="true" />
<security:anonymous />
<security:session-management invalid-session-url="/Login">
<security:concurrency-control max-sessions="1"
error-if-maximum-exceeded="true" />
</security:session-management>
<security:port-mappings>
<security:port-mapping http="8086" https="8443" />
</security:port-mappings>
</security:http>
<beans:bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService"/>
<beans:property name="authoritiesMapper">
<beans:bean class="org.springframework.security.access.hierarchicalroles.RoleHierarchyAuthoritiesMapper">
<beans:constructor-arg ref="roleHierarchy"/>
</beans:bean>
</beans:property>
<beans:property name="passwordEncoder">
<beans:bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"/>
</beans:property>
</beans:bean>
<beans:bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
<beans:property name="hierarchy">
<beans:value>
ROLE_ADMIN > ROLE_ADMIN_PROFILER_NGS
ROLE_ADMIN_PROFILER_NGS > ROLE_GUEST
ROLE_GUEST > ROLE_GUEST_PROFILER_NGS
ROLE_ADMIN > ROLE_ADMIN_PROFILER_CGH
ROLE_ADMIN_PROFILER_CGH > ROLE_GUEST
ROLE_GUEST > ROLE_GUEST_PROFILER_CGH
</beans:value>
</beans:property>
</beans:bean>
<security:user-service id="userDetailsService">
<security:user name="joe" password="bf403351dfb2ae819874163aff25a49c"
authorities="ROLE_ADMIN" />
<security:user name="pete" password="5d2ea1f70185e4357183bb9c00187219"
authorities="ROLE_ADMIN_PROFILER_CGH" />
</security:user-service>
A few additional highlights is that we longer need the following beans:
- accessDecisionManager
- defaultWebSecurityExpressionHandler
- roleVoter
这篇关于Spring Security 3.1.4 taglib授权/身份验证不适用于Tomcat 7上的JSF 2.2中的角色层次结构的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
