Spring 安全性 - SecurityContext.authentication 在 taglib 和 jsp 中为 null，但在控制器中还可以 [英] Spring security - SecurityContext.authentication null in taglib and jsp but ok in controller

问题描述

我一直在为这个问题苦苦挣扎一段时间.找到了几个关于它的帖子，但没有一个解决了我的问题.它可能与 SecurityContext 与特定线程相关的事实有关，但即使如此我也不知道如何解决它:

I've been struggling with this issue for a little while now. Found several posts about it but none solved my problem. It will probably have something to do with the fact that a SecurityContext is boud to a specific Thread but even then I do not know how to solve it:

考虑使用以下代码来检索已登录的用户:

Consider following code to retrieve the user that was logged in:

SecurityContextHolder.getContext().getAuthentication().getPrincipal()

在控制器中运行此代码将返回(正确)用户登录.从 taglib 或 jsp 运行此代码会引发 NPE(身份验证 = null).此外，spring 标签 不起作用(可能出于同样的原因).

Running this code in a controller would return (correctly) the user logged in. Running this code from a taglib or jsp throws NPE (authentication = null). Also the spring tag does not function (presumably for the same reason).

从 web.xml 中提取:

Extract from web.xml:

    <filter>
    <filter-name>AcegiFilter</filter-name>
    <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
    <init-param>
        <param-name>targetClass</param-name>
        <param-value>org.acegisecurity.util.FilterChainProxy</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>AcegiFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

从 spring 安全配置文件中提取:

Extract from spring security config file:

    <bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
    <property name="filterInvocationDefinitionSource">
        <value>
            CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON 
            PATTERN_TYPE_APACHE_ANT
            /**=httpSessionIntegrationFilter,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor
        </value>
    </property>
</bean>
    <bean id="filterSecurityInterceptor"
    class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="accessDecisionManager" ref="accessDecisionManager" />
    <property name="alwaysReauthenticate" value="true" />
    <property name="objectDefinitionSource">
        <value>
            CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON 
            PATTERN_TYPE_APACHE_ANT
            /myaccount.htm=ROLE_CUSTOMER
        </value>
    </property>
</bean>

推荐答案

RESOLVED

问题来自过滤器序列.PageFilter (sitemesh) 在 spring 安全过滤器之前被调用，因此安全上下文在 jsp 中尚不可用.更改 web.xml 中过滤器的顺序(首先是安全过滤器)修复了该问题.

the problem arose from the filter sequence. The PageFilter (sitemesh) was invoked before the spring security filter and because of this the security context was not yet available in the jsp. Changing the order of the filters in web.xml (security filter first) fixed the issue.

这篇关于Spring 安全性 - SecurityContext.authentication 在 taglib 和 jsp 中为 null，但在控制器中还可以的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！