春季安全性-Taglib和JSP中的SecurityContext.authentication为null，但在控制器中可以 [英] Spring security - SecurityContext.authentication null in taglib and jsp but ok in controller

问题描述

我已经为这个问题苦苦挣扎了一段时间.找到了关于它的几篇文章，但都没有解决我的问题.可能与将SecurityContext绑定到特定线程有关，但是即使那样，我仍然不知道如何解决它:

I've been struggling with this issue for a little while now. Found several posts about it but none solved my problem. It will probably have something to do with the fact that a SecurityContext is boud to a specific Thread but even then I do not know how to solve it:

考虑以下代码以检索已登录的用户:

Consider following code to retrieve the user that was logged in:

SecurityContextHolder.getContext().getAuthentication().getPrincipal()

在控制器中运行此代码将(正确)返回用户登录. 从taglib或jsp运行此代码将引发NPE(身份验证= null). 弹簧标签 也不起作用(可能出于相同的原因).

Running this code in a controller would return (correctly) the user logged in. Running this code from a taglib or jsp throws NPE (authentication = null). Also the spring tag does not function (presumably for the same reason).

从web.xml中提取:

Extract from web.xml:

    <filter>
    <filter-name>AcegiFilter</filter-name>
    <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
    <init-param>
        <param-name>targetClass</param-name>
        <param-value>org.acegisecurity.util.FilterChainProxy</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>AcegiFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

从spring安全配置文件中提取:

Extract from spring security config file:

    <bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
    <property name="filterInvocationDefinitionSource">
        <value>
            CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON 
            PATTERN_TYPE_APACHE_ANT
            /**=httpSessionIntegrationFilter,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor
        </value>
    </property>
</bean>
    <bean id="filterSecurityInterceptor"
    class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="accessDecisionManager" ref="accessDecisionManager" />
    <property name="alwaysReauthenticate" value="true" />
    <property name="objectDefinitionSource">
        <value>
            CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON 
            PATTERN_TYPE_APACHE_ANT
            /myaccount.htm=ROLE_CUSTOMER
        </value>
    </property>
</bean>

推荐答案

已解决

问题是由过滤器序列引起的.在Spring安全过滤器之前调用了PageFilter(sitemesh)，因此jsp中的安全上下文尚不可用.更改web.xml中的过滤器顺序(首先是安全过滤器)可以解决此问题.

the problem arose from the filter sequence. The PageFilter (sitemesh) was invoked before the spring security filter and because of this the security context was not yet available in the jsp. Changing the order of the filters in web.xml (security filter first) fixed the issue.

这篇关于春季安全性-Taglib和JSP中的SecurityContext.authentication为null，但在控制器中可以的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！