如何通过 Spring 3.0.3 Security 保护静态 html 文件? [英] How to secure static html files through Spring 3.0.3 Security?

问题描述

我正在尝试使用 spring Security(v3.0.3) 保护由 tomcat 服务器提供的 html 文件的安全访问我从 这个线程

I am trying to secure access html files which are being served by tomcat server using spring Security(v3.0.3) i got a head start from this thread

我没有使用mvc:资源标签因为它在这个版本的 spring 中不可用.

I am not using mvc:resources tag as its not available in this version of spring.

这是我的配置

spring-security.xml

  <security:http auto-config="true" use-expressions="true">
        <security:intercept-url pattern="**/admin.html" access="hasRole('ROLE_ADMIN')/>  
        <security:intercept-url pattern="/**"     access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
    <security:http-basic />
</security:http>


 <security:authentication-manager>
  <security:authentication-provider>
    <security:user-service>
    <security:user name="ved" password="12345" authorities="ROLE_USER" />
    <security:user name="admin" password="admin" authorities="ROLE_ADMIN" />
    </security:user-service>
  </security:authentication-provider>
</security:authentication-manager> 

调试

    09:59:39,873 DEBUG FilterChainProxy:175 - Converted URL to lowercase, from: '/app/views/admin.html'; to: '/app/views/admin.html'
    09:59:39,874 DEBUG FilterChainProxy:182 - Candidate is: '/app/views/admin.html'; pattern is /**; matched=true
    09:59:39,874 DEBUG FilterChainProxy:350 - /app/views/admin.html at position 1 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.context.SecurityContextPersistenceFilter@1670cc6'
    09:59:39,874 DEBUG HttpSessionSecurityContextRepository:165 - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@b92b6f9e: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@b92b6f9e: Principal: org.springframework.security.core.userdetails.User@1c795: Username: ved; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffdaa08: RemoteIpAddress: 127.0.0.1; SessionId: CC43ECD3050181A4FFAB5B4897D78AEE; Granted Authorities: ROLE_USER'
    09:59:39,874 DEBUG FilterChainProxy:350 - /app/views/admin.html at position 2 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.logout.LogoutFilter@1e04a35'
    09:59:39,874 DEBUG FilterChainProxy:350 - /app/views/admin.html at position 3 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@281902'
    09:59:39,875 DEBUG FilterChainProxy:350 - /app/views/admin.html at position 4 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@81d783'
    09:59:39,875 DEBUG FilterChainProxy:350 - /app/views/admin.html at position 5 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.www.BasicAuthenticationFilter@6c01b9'
    09:59:39,876 DEBUG BasicAuthenticationFilter:131 - Basic Authentication Authorization header found for user 'ved'
    09:59:39,876 DEBUG FilterChainProxy:350 - /app/views/admin.html at position 6 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.savedrequest.RequestCacheAwareFilter@e5307e'
    09:59:39,876 DEBUG FilterChainProxy:350 - /app/views/admin.html at position 7 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@d2bb53'
    09:59:39,876 DEBUG FilterChainProxy:350 - /app/views/admin.html at position 8 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.AnonymousAuthenticationFilter@58ff51'
    09:59:39,877 DEBUG AnonymousAuthenticationFilter:72 - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@b92b6f9e: Principal: org.springframework.security.core.userdetails.User@1c795: Username: ved; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffdaa08: RemoteIpAddress: 127.0.0.1; SessionId: CC43ECD3050181A4FFAB5B4897D78AEE; Granted Authorities: ROLE_USER'
    09:59:39,877 DEBUG FilterChainProxy:350 - /app/views/admin.html at position 9 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.session.SessionManagementFilter@e22632'
    09:59:39,877 DEBUG FilterChainProxy:350 - /app/views/admin.html at position 10 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.access.ExceptionTranslationFilter@139d891'
    09:59:39,877 DEBUG FilterChainProxy:350 - /app/views/admin.html at position 11 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.access.intercept.FilterSecurityInterceptor@b92dc2'
    09:59:39,878 DEBUG ExpressionBasedFilterInvocationSecurityMetadataSource:173 - Converted URL to lowercase, from: '/app/views/admin.html'; to: '/app/views/admin.html'
    09:59:39,878 DEBUG ExpressionBasedFilterInvocationSecurityMetadataSource:200 - Candidate is: '/app/views/admin.html'; pattern is **/admin.html; matched=false
    09:59:39,878 DEBUG ExpressionBasedFilterInvocationSecurityMetadataSource:200 - Candidate is: '/app/views/admin.html'; pattern is /**; matched=true
    09:59:39,879 DEBUG FilterSecurityInterceptor:191 - Secure object: FilterInvocation: URL: /app/views/admin.html; Attributes: [hasAnyRole('ROLE_USER','ROLE_ADMIN')]

正如我们在这里看到的

09:59:39,878 DEBUG ExpressionBasedFilterInvocationSecurityMetadataSource:200 - 候选是:'/app/views/admin.html'；模式是 **/admin.html;匹配=假

09:59:39,878 DEBUG ExpressionBasedFilterInvocationSecurityMetadataSource:200 - Candidate is: '/app/views/admin.html'; pattern is **/admin.html; matched=false

管理页面仍在提供给 ROLE_USER.

the admin page is still being served to ROLE_USER.

任何解决此问题的帮助将不胜感激.

Any help in fixing this will be appreciated.

推荐答案

我觉得模式有问题，试试这个:

I think there is a mistake in the pattern, try this :

<security:intercept-url pattern="/admin.html" access="hasRole('ROLE_ADMIN')/>  
        <security:intercept-url pattern="/**"     access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />

希望能帮到你

这篇关于如何通过 Spring 3.0.3 Security 保护静态 html 文件?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！