如何通过spring安全保护混合Spring MVC + Flex应用程序 [英] How to secure a hybrid Spring MVC + Flex application with spring security
问题描述
我试过在Spring论坛上提出这个问题( http://forum.springsource.org/showthread.php?109948-Problem-configuring-spring-security-3.1-with-hybrid-Spring-MVC-Flex-application < a>),但没有得到响应。 我正在开发一个Web应用程序,该应用程序有一个内置在Flex中的(最终用户)用户界面和一个管理用户界面使用Spring MVC构建。我试图保证这两个接口,并可以让每个单独工作,但不能在一起。 我正在使用spring-flex-core 1.5的快照构建。 0与Spring Security 3.1RC1和Spring 3.1M1 如果我只包含没有模式属性的第一个http标签,那么flex用户界面显示成功验证春天的安全。然而,如果我包含所有 给出 或 结果是 任何人都可以建议我什么'm做错了吗? 您还需要更新您的安全配置,方法是将MVC路径修改为 我几乎可以肯定的是,当您使用SpringDS而不是BlazeDS时,这不是最好的解决方案。有一个更好的方法! 您也可以尝试删除: 而不是那个尝试使用这个: 请记住,身份验证应该通过Flex客户端上的channelSet完成! I tried asking this on the Spring forums ( http://forum.springsource.org/showthread.php?109948-Problem-configuring-spring-security-3.1-with-hybrid-Spring-MVC-Flex-application ) but did not get a response. I'm working on a web application that has an (end user) user interface built in Flex and a management user interface built using Spring MVC. I'm trying to secure both interfaces and can get each one working separately, but not together. I'm using a snapshot build of spring-flex-core 1.5.0 with Spring Security 3.1RC1 and Spring 3.1M1 If I include only the first http tag without the pattern attribute then the flex UI appears to authenticate successfully using Spring security. However if I include all the which gives or which results in I'm obviously missing something but while the Spring Flex documentation describes how to configure a hybrid MVC+Flex application at the servlet level it appears to only consider security from the perspective of a flex-only application. Can anyone suggest what I'm doing wrong? thanks Dave One thing I've used before when dealing with the same issue was to have 2 separate DispatcherServlets: You also need to update your security configuration by modifying the MVC paths to I'm almost sure that this isn't the best solution when you use SpringDS instead of BlazeDS. There's gotta be a more optimal way! You can also try to remove: And instead of that try using this: Keep in mind that the authentication should be done through the channelSet on the Flex client! 这篇关于如何通过spring安全保护混合Spring MVC + Flex应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
$ p $ <?xml version =1.0encoding =UTF-8 ?>
< beans xmlns =http://www.springframework.org/schema/beans
xmlns:xsi =http://www.w3.org/2001/XMLSchema-instance
xmlns:security =http://www.springframework.org/schema/security
xsi:schemaLocation =http://www.springframework.org/schema/beans http:// www。 springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security- 3.1.xsd>
<! - 所有与Spring Security相关的配置都在这里 - >
< security:global-method-security secured-annotations =enabledjsr250-annotations =enabled/>
< security:http pattern =/ messagebroker / **entry-point-ref =entryPoint>
< security:anonymous enabled =false/>
< / security:http>
< bean id =entryPointclass =org.springframework.flex.security3.FlexAuthenticationEntryPoint/>
< security:http pattern =/ favicon.icosecurity =none/>
< security:http pattern =/ login *security =none/>
< security:http pattern =/ logoutSuccess *security =none/>
< security:http pattern =/ apollo / css / **security =none/>
< security:http pattern =/ apollo / js / **security =none/>
< security:http pattern =/ apollo / img / **security =none/>
< security:http pattern =/ common / css / **security =none/>
< security:http pattern =/ common / js / **security =none/>
< security:http pattern =/ common / img / **security =none/>
< security:http pattern =/ MoneyManager.swfsecurity =none/>
< security:http pattern =/ assets / **security =none/>
< security:http pattern =/ index.jspsecurity =none/>
< security:http servlet-api-provision =true>
< security:intercept-url pattern =/ cms / *access =ROLE_ADMIN/>
< security:intercept-url pattern =/ cms / users / *access =ROLE_ADMIN,ROLE_USER_MANAGER/>
< security:intercept-url pattern =/ cms / content / *access =ROLE_ADMIN,ROLE_CONTENT_MANAGER/>
< security:intercept-url pattern =/ **access =ROLE_USER,ROLE_ADMIN/>
< security:form-login login-page =/ login.htmldefault-target-url =/ home.html
always-use-default-target = falseauthentication-failure-url =/ login.html/>
< security:remember-me />
< security:logout logout-url =/ logoutlogout-success-url =/ default.html/>
< / security:http>
< bean id =successfulLogInListenerclass =uk.co.ecube.web.security.SuccessfulLogInListener/>
< bean id =failedLogInListenerclass =uk.co.ecube.web.security.FailedLogInListener/>
< security:authentication-manager>
< security:authentication-provider user-service-ref ='userService'/>
< / security:authentication-manager>
< / beans>
< http>
标签,那么根据我是否使用
< security:http entry-point-ref =entryPoint>
< security:anonymous enabled =false/>
< / security:http>
SEVERE:异常发送上下文初始化事件到类的监听器实例org.springframework.web.context.ContextLoaderListener
org.springframework.beans.factory.parsing.BeanDefinitionParsingException:配置问题:已经过滤器链映射包含这个请求匹配器[root bean:class [org.springframework.security.web.util.AnyRequestMatcher];范围=;抽象= FALSE; lazyInit = FALSE; autowireMode = 0; dependencyCheck = 0; autowireCandidate = TRUE;初级= FALSE; factoryBeanName = NULL; factoryMethodName = NULL; initMethodName = NULL; destroyMethodName =空]。如果您使用多个< http>命名空间元素,您必须使用模式属性来定义它们所应用的请求模式。
< security:http pattern =/ messagebroker / **entry-point-ref =entryPoint>
< security:anonymous enabled =false/>
< / security:http>
SEVERE:Servlet / apollo抛出load()异常
org.springframework.beans.factory.NoSuchBeanDefinitionException:没有唯一的bean类型[org.springframework.security.web.authentication.session.SessionAuthenticationStrategy]定义:预期单个匹配的bean,但发现2:[org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy#0,org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy#1]
at org .springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:796)
m显然缺少了一些东西,但Spring Flex文档描述了如何在servlet级别配置混合MVC + Flex应用程序,似乎只考虑了从仅限于flex的应用程序角度考虑的安全性。
感谢
Dave
< listener>
< listener-class> org.springframework.web.context.ContextLoaderListener< / listener-class>
< / listener>
< servlet>
< servlet-name> flex< / servlet-name>
< servlet-class> org.springframework.web.servlet.DispatcherServlet< / servlet-class>
<加载启动> 1< /加载启动>
< / servlet>
< servlet-mapping>
< servlet-name> flex< / servlet-name>
< url-pattern> / messagebroker / *< / url-pattern>
< / servlet-mapping>
< servlet>
< servlet-name> spring-mvc< / servlet-name>
< servlet-class> org.springframework.web.servlet.DispatcherServlet< / servlet-class>
<加载启动> 1< /加载启动>
< / servlet>
< servlet-mapping>
< servlet-name> spring-mvc< / servlet-name>
< url-pattern> / spring / *< / url-pattern>
< / servlet-mapping>
/ spring /...
< security:http pattern =/ messagebroker / **entry-point-ref =entryPoint>
< security:anonymous enabled =false/>
< / security:http>
< flex:message-broker mapping-order =1>
< flex:secured>
< flex:secured-channel channel =amfaccess =ROLE_SOME_ROLE/>
< / flex:secured>
< / flex:message-broker>
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- All Spring Security related configuration goes here -->
<security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/>
<security:http pattern="/messagebroker/**" entry-point-ref="entryPoint">
<security:anonymous enabled="false"/>
</security:http>
<bean id="entryPoint" class="org.springframework.flex.security3.FlexAuthenticationEntryPoint"/>
<security:http pattern="/favicon.ico" security="none"/>
<security:http pattern="/login*" security="none"/>
<security:http pattern="/logoutSuccess*" security="none"/>
<security:http pattern="/apollo/css/**" security="none"/>
<security:http pattern="/apollo/js/**" security="none"/>
<security:http pattern="/apollo/img/**" security="none"/>
<security:http pattern="/common/css/**" security="none"/>
<security:http pattern="/common/js/**" security="none"/>
<security:http pattern="/common/img/**" security="none"/>
<security:http pattern="/MoneyManager.swf" security="none"/>
<security:http pattern="/assets/**" security="none"/>
<security:http pattern="/index.jsp" security="none"/>
<security:http servlet-api-provision="true">
<security:intercept-url pattern="/cms/*" access="ROLE_ADMIN"/>
<security:intercept-url pattern="/cms/users/*" access="ROLE_ADMIN,ROLE_USER_MANAGER"/>
<security:intercept-url pattern="/cms/content/*" access="ROLE_ADMIN,ROLE_CONTENT_MANAGER"/>
<security:intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" />
<security:form-login login-page="/login.html" default-target-url="/home.html"
always-use-default-target="false" authentication-failure-url="/login.html"/>
<security:remember-me/>
<security:logout logout-url="/logout" logout-success-url="/default.html" />
</security:http>
<bean id="successfulLogInListener" class="uk.co.ecube.web.security.SuccessfulLogInListener"/>
<bean id="failedLogInListener" class="uk.co.ecube.web.security.FailedLogInListener"/>
<security:authentication-manager>
<security:authentication-provider user-service-ref='userService'/>
</security:authentication-manager>
</beans>
<http>
tags then I get one of two errors depending on whether I use <security:http entry-point-ref="entryPoint">
<security:anonymous enabled="false"/>
</security:http>
SEVERE: Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: The filter chain map already contains this request matcher [Root bean: class [org.springframework.security.web.util.AnyRequestMatcher]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null]. If you are using multiple <http> namespace elements, you must use a 'pattern' attribute to define the request patterns to which they apply.
<security:http pattern="/messagebroker/**" entry-point-ref="entryPoint">
<security:anonymous enabled="false"/>
</security:http>
SEVERE: Servlet /apollo threw load() exception
org.springframework.beans.factory.NoSuchBeanDefinitionException: No unique bean of type [org.springframework.security.web.authentication.session.SessionAuthenticationStrategy] is defined: expected single matching bean but found 2: [org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy#0, org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy#1]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:796)
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>flex</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>flex</servlet-name>
<url-pattern>/messagebroker/*</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>spring-mvc</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring-mvc</servlet-name>
<url-pattern>/spring/*</url-pattern>
</servlet-mapping>
/spring/...
<security:http pattern="/messagebroker/**" entry-point-ref="entryPoint">
<security:anonymous enabled="false"/>
</security:http>
<flex:message-broker mapping-order="1">
<flex:mapping pattern="/messagebroker/*"/>
<flex:message-service default-channels="amf, polling-amf, longpolling-amf" />
<flex:secured>
<flex:secured-channel channel="amf" access="ROLE_SOME_ROLE" />
</flex:secured>
</flex:message-broker>