GWT Spring Security集成(PURE GWT,无JSP) [英] GWT Spring Security Integration (PURE GWT, NO JSP)
问题描述
我正在使用 GWT 2.4 和 Spring 3.1 ,并且希望使用 Spring Security 来保护我的应用程序。我正在寻找没有单独的JSP登录页面的仅GWT解决方案。我发现只有使用JSP进行登录的旧网站,因此此线程可能会导致以标准方式将GWT与Spring Security完全集成的解决方案。无论如何,如果有一个引用已经成功地完成了这个线程,那么当然这个线程可以通过指向该引用的链接来关闭。
到目前为止,我的第一个方法是:
applicationcontext-security.xml:
< http auto-config =falseuse-expressions =trueentry-point-ref =customAuthenticationEntryPoint >
< intercept-url pattern =/ ApplicationScaffold.htmlaccess =permitAll/>
< intercept-url pattern =/ **access =hasRole('ROLE_USER')/>
< / http>
< bean:bean id =customAuthenticationEntryPointclass =org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint
c:loginFormUrl =/ ApplicationScaffold.html/>
<! - 配置认证机制 - >
< authentication-manager alias =authenticationManager>
< authentication-provider>
...
< / authentication-provider>
< / authentication-manager>
ApplicationScaffold.html (我的应用程序是用Spring Roo创建的)是我的包含GWT登录页面的起始页面。
web.xml:
<显示-名称>&securitytest LT; /显示名称>
< description> Roo生成的应用程序< / description>
<! - 启用表单提交内容的转义 - >
< context-param>
< param-name> defaultHtmlEscape< / param-name>
< param-value> true< /参数值>
< / context-param>
< context-param>
< param-name> contextConfigLocation< / param-name>
< param-value> classpath *:META-INF / spring / applicationContext * .xml< / param-value>
< / context-param>
< filter>
< filter-name> CharacterEncodingFilter< / filter-name>
< filter-class> org.springframework.web.filter.CharacterEncodingFilter< / filter-class>
< init-param>
< / param-name>编码< / param-name>
< param-value> UTF-8< /参数值>
< / init-param>
< init-param>
< param-name> forceEncoding< / param-name>
< param-value> true< /参数值>
< / init-param>
< / filter>
< filter>
< filter-name> HttpMethodFilter< / filter-name>
< filter-class> org.springframework.web.filter.HiddenHttpMethodFilter< / filter-class>
< / filter>
< filter>
< filter-name> springSecurityFilterChain< / filter-name>
< filter-class> org.springframework.web.filter.DelegatingFilterProxy< / filter-class>
< / filter>
< filter>
< filter-name> Spring OpenEntityManagerInViewFilter< / filter-name>
< filter-class> org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter< / filter-class>
< / filter>
< filter-mapping>
< filter-name> CharacterEncodingFilter< / filter-name>
< url-pattern> / *< / url-pattern>
< / filter-mapping>
< filter-mapping>
< filter-name> HttpMethodFilter< / filter-name>
< url-pattern> / *< / url-pattern>
< / filter-mapping>
< filter-mapping>
< filter-name> springSecurityFilterChain< / filter-name>
< url-pattern> / *< / url-pattern>
< / filter-mapping>
< filter-mapping>
< filter-name> Spring OpenEntityManagerInViewFilter< / filter-name>
< url-pattern> / *< / url-pattern>
< / filter-mapping>
<! - 创建所有Servlet和过滤器共享的Spring容器 - >
< listener>
< listener-class> org.springframework.web.context.ContextLoaderListener< / listener-class>
< / listener>
<! - 处理Spring请求 - >
< servlet>
< servlet-name> securitytest< / servlet-name>
< servlet-class> org.springframework.web.servlet.DispatcherServlet< / servlet-class>
< init-param>
< param-name> contextConfigLocation< / param-name>
< param-value> WEB-INF / spring / webmvc-config.xml< / param-value>
< / init-param>
1< / load-on-startup>
< / servlet>
< servlet>
< servlet-name> requestFactory< / servlet-name>
< servlet-class> com.securitytest.server.CustomRequestFactoryServlet< / servlet-class>
< / servlet>
< servlet-mapping>
< servlet-name> securitytest< / servlet-name>
< url-pattern> /< / url-pattern>
< / servlet-mapping>
< servlet-mapping>
< servlet-name> requestFactory< / servlet-name>
< url-pattern> / gwtRequest< / url-pattern>
< / servlet-mapping>
< session-config>
< session-timeout> 10< / session-timeout>
< / session-config>
CustomRequestFactoryServlet
class extends RequestFactoryServlet
提供了一个额外的构造函数来解决Spring服务,并且不应该与安全问题相关。
在GWT小部件上输入用户名和密码后,会调用登录服务(通过 RequestFactory
),以下内容:
public String loginUser(String username,String password){
UsernamePasswordAuthenticationToken token =
UsernamePasswordAuthenticationToken (用户名密码);
Authentication authenticatedUser = authenticationManager.authenticate(token);
SecurityContextHolder.getContext()。setAuthentication(authenticatedUser);
返回用户名;
$ b $ p
$ b因此,当我输入一个URL,例如.. / fooooooo 我希望我的应用程序将我重定向到登录页面( ApplicationScaffold.html )。但是只有浏览器地址栏中的网址才会设置为../ ApplicationScaffold.html ,而不会发生任何更改。
我做错了什么?
堆栈跟踪说明如下:
[INFO] 2012-12-17 13:41:07,502 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - / fooooooooo at position附加滤波器链中7个中的1个;启动Filter:'SecurityContextPersistenceFilter'
[INFO] 2012-12-17 13:41:07,502 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - 目前没有HttpSession
[ INFO] 2012-12-17 13:41:07,502 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - 没有SecurityContext从HttpSession中可用:null。一个新的将被创建。
[INFO] 2012年12月17日13:41:07,502 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - / fooooooooo位于第7位的附加过滤器链中;启动Filter:'RequestCacheAwareFilter'
[INFO] 2012-12-17 13:41:07,502 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - / fooooooooo位于第7位,位于附加过滤器链中;启动Filter:'SecurityContextHolderAwareRequestFilter'
[INFO] 2012-12-17 13:41:07,502 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - / fooooooooo位于第7位,位于附加过滤器链中;开发过滤器:'AnonymousAuthenticationFilter'
[INFO] 2012-12-17 13:41:07,503 [btpool0-0] DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter - 使用匿名标记填充SecurityContextHolder:'org。 springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6:主体:anonymousUser;证书:[PROTECTED];已验证:true;详细信息:org.springframework.security.web.authentication.WebAuthenticationDetails@957e:RemoteIpAddress:127.0.0.1; SessionId:null;授予权限:ROLE_ANONYMOUS'
[INFO] 2012-12-17 13:41:07,503 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - / fooooooooo位于附加过滤器链中的第7位;启动Filter:'SessionManagementFilter'
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.web.session.SessionManagementFilter - 请求的会话ID1nkvhmubnkz6无效。
[INFO] 2012年12月17日13:41:07,504 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - / fooooooooo位于第7位,位于附加的过滤器链中;启动过滤器:'ExceptionTranslationFilter'
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - / fooooooooo ;启动Filter:'FilterSecurityInterceptor'
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - 检查请求匹配:'/ fooooooooo' ;反对'/applicationscaffold.html'
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object:FilterInvocation:URL :/ fooooooooo;属性:[hasRole('ROLE_USER')]
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - 先前已验证: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6:Principal:anonymousUser;证书:[PROTECTED];已验证:true;详细信息:org.springframework.security.web.authentication.WebAuthenticationDetails@957e:RemoteIpAddress:127.0.0.1; SessionId:null;授予权限:ROLE_ANONYMOUS
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter:org.springframework.security.web.access .expression.WebExpressionVoter @ 5f8d13b8,返回:-1
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - 访问被拒绝(用户是匿名的);重定向到身份验证入口点
[INFO] org.springframework.security.access.AccessDeniedException:访问被拒绝
...
[INFO] 2012-12-17 13:41:07,506 [ btpool0-0] DEBUG org.springframework.security.web.savedrequest.HttpSessionRequestCache - 将DefaultSavedRequest添加到Session:DefaultSavedRequest [http://127.0.0.1:8888/fooooooooo]
[INFO] 2012-12-17 13: 41:07,506 [btpool0-0] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - 调用身份验证入口点。
[INFO] 2012-12-17 13:41:07,506 [btpool0-0] DEBUG org.springframework.security.web.DefaultRedirectStrategy - 重定向到'http://127.0.0.1:8888/ApplicationScaffold.html'
[INFO] 2012-12-17 13:41:07,506 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext为空或内容为匿名 - 上下文不会存储在HttpSession中。
[INFO] 2012-12-17 13:41:07,506 [btpool0-0] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder现已被清除,因为请求处理已完成
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html位于第7位,位于其他过滤器链中;开发过滤器:'SecurityContextPersistenceFilter'
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession为SPRING_SECURITY_CONTEXT返回空对象
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession中没有SecurityContext可用:org.mortbay.jetty.servlet.HashSessionManager $会议:q0k5u6clocpc @ 1530548245。一个新的将被创建。
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html位于附加过滤器链7中的第2位;开发过滤器:'RequestCacheAwareFilter'
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - pathInfo:null(property equals)
[INFO] 2012年12月17日13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - queryString:两者都为null(等于等于)
[INFO] 2012 -12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - requestURI:arg1 = / fooooooooo; arg2 = / ApplicationScaffold.html(属性不等于)
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.HttpSessionRequestCache - 保存的请求不会' t匹配
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html位于第7位,位于其他筛选器链中;启动过滤器:'SecurityContextHolderAwareRequestFilter'
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html位于第7位的第4位过滤链;启动Filter:'AnonymousAuthenticationFilter'
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter - 使用匿名标记填充SecurityContextHolder:'org。 springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6:主体:anonymousUser;证书:[PROTECTED];已验证:true;详细信息:org.springframework.security.web.authentication.WebAuthenticationDetails@957e:RemoteIpAddress:127.0.0.1; SessionId:q0k5u6clocpc;授予权限:ROLE_ANONYMOUS'
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html在第5位链;启动Filter:'SessionManagementFilter'
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html位于第6位过滤链;启动过滤器:'ExceptionTranslationFilter'
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html位于7的7位过滤链;启动Filter:'FilterSecurityInterceptor'
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - 检查请求匹配:'/ applicationscaffold。 HTML;反对'/applicationscaffold.html'
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object:FilterInvocation:URL :/ApplicationScaffold.html;属性:[permitAll]
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - 先前已验证:org.springframework.security .authentication.AnonymousAuthenticationToken @ 9055e4a6:主体:anonymousUser;证书:[PROTECTED];已验证:true;详细信息:org.springframework.security.web.authentication.WebAuthenticationDetails@957e:RemoteIpAddress:127.0.0.1; SessionId:q0k5u6clocpc;授予权限:ROLE_ANONYMOUS
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter:org.springframework.security.web.access .expression.WebExpressionVoter @ 5f8d13b8,返回:1
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - 授权成功
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - RunAsManager未更改身份验证对象
[INFO] 2012 -12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html到达附加过滤器链的末尾;处理原始链
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter - 在OpenEntityManagerInViewFilter中打开JPA EntityManager
[INFO ] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.hibernate.impl.SessionImpl - 打开会话时间戳:13557480675
[INFO] 2012-12-17 13:41:07,545 [btpool0 -0] DEBUG org.springframework.web.servlet.DispatcherServlet - 名为'securitytest'的DispatcherServlet处理[/ApplicationScaffold.html]的GET请求
[INFO] 2012-12-17 13:41:07,545 [btpool0- 0] DEBUG org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - 查找处理路径的方法/ApplicationScaffold.html
[INFO] 2012-12-17 13:41:07,545 [btpool0-0 ] DEBUG org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - 未找到[/ApplicationScaffold.html]的处理程序方法
[INFO] 2012-12-17 13:41:07,545 [btpool0- 0] DEBUG org.springframework.web.servlet.handler.SimpleUrlHandlerMapping - 请求[/ApplicationScaffold.html]的匹配模式是[/ **]
[INFO] 2012-12-17 13:41:07,545 [btpool0-0] DEBUG org.springframework.web.servlet.handler.SimpleUrlHandlerMapping - 用于请求[/ApplicationScaffold.html]的URI模板变量是{bb} [btpool0-0] [btpool0-0] DEBUG org.springframework.web.servlet.handler.SimpleUrlHandlerMapping - 使用handler [org.springframework.web.servlet.resource.DefaultServletHttpRequestHandler@3e3bfa58]和1个拦截器
[INFO]映射[/ApplicationScaffold.html]到HandlerExecutionChain 2012- 12-17 13:41:07,545 [btpool0-0] DEBUG org.springframework.web.servlet.DispatcherServlet - [/ApplicationScaffold.html]的Last-Modified值为:-1
[INFO] 2012-12- 17 13:41:07,547 [btpool0-0] DEBUG org.springframework.web.servlet.DispatcherServlet - Null ModelAndView返回名为'securitytest'的DispatcherServlet:假设HandlerAdapter compl
[INFO] 2012-12-17 13:41:07,547 [btpool0-0] DEBUG org.springframework.web.servlet.DispatcherServlet - 成功完成请求
[INFO] 2012-12- 17 13:41:07,547 [btpool0-0] DEBUG org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter - 在OpenEntityManagerInViewFilter中关闭JPA EntityManager
[INFO] 2012-12-17 13:41:07,547 [btpool0-0 ] DEBUG org.springframework.orm.jpa.EntityManagerFactoryUtils - 关闭JPA EntityManager
[INFO] 2012-12-17 13:41:07,547 [btpool0-0] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - 链处理正常
[信息] 2012年12月17日13:41:07,547 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext为空或内容为匿名 - 上下文不会存储在HttpSession中。
[INFO] 2012-12-17 13:41:07,547 [btpool0-0] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder现已被清除,因为请求处理已完成
[INFO] 2012-12-17 13:41:07,583 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html位于第7位,位于附加的过滤器链中;开发过滤器:'SecurityContextPersistenceFilter'
[INFO] 2012-12-17 13:41:07,583 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession为SPRING_SECURITY_CONTEXT返回空对象
[INFO] 2012-12-17 13:41:07,583 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession中没有SecurityContext可用:org.mortbay.jetty.servlet.HashSessionManager $会议:q0k5u6clocpc @ 1530548245。一个新的将被创建。
[INFO] 2012年12月17日13:41:07,583 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html在位置2的7个附加过滤器链中;启动Filter:'RequestCacheAwareFilter'
[INFO] 2012-12-17 13:41:07,583 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - pathInfo:both null(property equals)
[INFO] 2012年12月17日13:41:07,583 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest --queryString:两者都是null(等于等于)
[INFO] 2012 -12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - requestURI:arg1 = / fooooooooo; arg2 = / applicationScaffold / C142D67E9948229BE2B28E2A99E7C59A.cache.html(属性不等于)
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.HttpSessionRequestCache - 保存的请求不匹配
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html在位置3在另外的过滤器链中有7个;启动Filter:'SecurityContextHolderAwareRequestFilter'
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html在位置4在另外的过滤器链中有7个;启动Filter:'AnonymousAuthenticationFilter'
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter - 使用匿名标记填充SecurityContextHolder:'org。 springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6:主体:anonymousUser;证书:[PROTECTED];已验证:true;详细信息:org.springframework.security.web.authentication.WebAuthenticationDetails@957e:RemoteIpAddress:127.0.0.1; SessionId:q0k5u6clocpc;授予权限:ROLE_ANONYMOUS'
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html在位置5 7在另外的过滤器链中;启动Filter:'SessionManagementFilter'
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html在位置6在另外的过滤器链中有7个;启动Filter:'ExceptionTranslationFilter'
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html在位置7在另外的过滤器链中有7个;启动过滤器:'FilterSecurityInterceptor'
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - 检查请求匹配:'/ applicationscaffold / c142d67e9948229be2b28e2a99e7c59a.cache.html;反对'/applicationscaffold.html'
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object:FilterInvocation:URL :/applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html;属性:[hasRole('ROLE_USER')]
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - 先前已验证: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6:Principal:anonymousUser;证书:[PROTECTED];已验证:true;详细信息:org.springframework.security.web.authentication.WebAuthenticationDetails@957e:RemoteIpAddress:127.0.0.1; SessionId:q0k5u6clocpc;授予权限:ROLE_ANONYMOUS
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter:org.springframework.security.web.access .expression.WebExpressionVoter @ 5f8d13b8,返回:-1
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - 访问被拒绝(用户是匿名的);重定向到认证入口点
[INFO] org.springframework.security.access.AccessDeniedException:访问被拒绝
解决方案纯GWT解决方案:
- 请勿使用
http
所有元素(来自config命名空间的http标记) AuthenticationRpcService.authenticate(user,password)方法
- 从security-context.xml注入AuthenticationServiceImpl AuthenticationProvider bean
-
实现AuthenticationRpcService.authenticate用户名,密码)为:
User user = new User(登录名,密码,true,true,true,true,new ArrayList< ;&的GrantedAuthority GT;());
Authentication auth = new UsernamePasswordAuthenticationToken(user,password,$ b $ new ArrayList< GrantedAuthority>());
尝试{
auth = this.authenticationProvider.authenticate(auth);
} catch(BadCredentialsException e){
抛出新的ClientSideBadCredentialsException(e.getMessage(),e);
}
SecurityContext sc = new SecurityContextImpl();
sc.setAuthentication(auth);
SecurityContextHolder.setContext(sc);
-
确保在处理每个GWT RPC调用期间执行spring安全筛选器链(<使用@RolesAllowed({ADMIN_ROLE,USER_ROLE})注释来保护所有业务服务注释使用@RolesAllowed({ADMIN_ROLE,USER_ROLE})注释保护所有业务服务
- 准备您自己的可在客户端使用的ClientSideAcessDeniedException
- 在发生Spring AcessDeniedException的情况下,将ClientSideAcessDeniedException传播到客户端
- 在客户端通过GWT.setUncaughtExceptionHandler设置UncaughtExceptionHandler
- 在UncaughtExceptionHandler中检测CustomAcessDeniedException,然后向用户显示错误。 b $ b
I´m using GWT 2.4 and Spring 3.1 and I want to secure my application with Spring Security. I was looking for a GWT-only solution without a separate JSP login page. I found only old sites using JSP to do login, so this thread could result in a solution to fully integrate GWT with Spring Security in a standard way. Anyway, if there is a reference where this has been done successfully already, this thread can be closed with a link to that reference of course.
So far here is my first approach:
applicationcontext-security.xml:
<http auto-config="false" use-expressions="true" entry-point-ref="customAuthenticationEntryPoint">
<intercept-url pattern="/ApplicationScaffold.html" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
</http>
<beans:bean id="customAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
c:loginFormUrl="/ApplicationScaffold.html" />
<!-- Configure Authentication mechanism -->
<authentication-manager alias="authenticationManager">
<authentication-provider>
...
</authentication-provider>
</authentication-manager>
ApplicationScaffold.html (my application was created with Spring Roo) is my starting page containing the GWT login page.
web.xml:
<display-name>securitytest</display-name>
<description>Roo generated application</description>
<!-- Enable escaping of form submission contents -->
<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath*:META-INF/spring/applicationContext*.xml</param-value>
</context-param>
<filter>
<filter-name>CharacterEncodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter>
<filter-name>HttpMethodFilter</filter-name>
<filter-class>org.springframework.web.filter.HiddenHttpMethodFilter</filter-class>
</filter>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter>
<filter-name>Spring OpenEntityManagerInViewFilter</filter-name>
<filter-class>org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CharacterEncodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>HttpMethodFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Spring OpenEntityManagerInViewFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- Handles Spring requests -->
<servlet>
<servlet-name>securitytest</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>WEB-INF/spring/webmvc-config.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>requestFactory</servlet-name>
<servlet-class>com.securitytest.server.CustomRequestFactoryServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>securitytest</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>requestFactory</servlet-name>
<url-pattern>/gwtRequest</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>10</session-timeout>
</session-config>
The CustomRequestFactoryServlet
class extends RequestFactoryServlet
providing an additional constructor to resolve Spring services and should not be relevant to security issues.
After entering username and password on the GWT widget a login service is invoked (via RequestFactory
) that simply does the following:
public String loginUser(String username, String password) {
UsernamePasswordAuthenticationToken token =
new UsernamePasswordAuthenticationToken(username, password);
Authentication authenticatedUser = authenticationManager.authenticate(token);
SecurityContextHolder.getContext().setAuthentication(authenticatedUser);
return username;
}
So when I enter a URL like ../fooooooo I expect my application to redirect me to the login page (ApplicationScaffold.html). But only the URL in the browser´s address bar is set to ../ApplicationScaffold.html and nothing more happens.
What am I doing wrong?
The stack trace says the following:
[INFO] 2012-12-17 13:41:07,502 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /fooooooooo at position 1 of 7 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
[INFO] 2012-12-17 13:41:07,502 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No HttpSession currently exists
[INFO] 2012-12-17 13:41:07,502 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
[INFO] 2012-12-17 13:41:07,502 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /fooooooooo at position 2 of 7 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
[INFO] 2012-12-17 13:41:07,502 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /fooooooooo at position 3 of 7 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
[INFO] 2012-12-17 13:41:07,502 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /fooooooooo at position 4 of 7 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
[INFO] 2012-12-17 13:41:07,503 [btpool0-0] DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
[INFO] 2012-12-17 13:41:07,503 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /fooooooooo at position 5 of 7 in additional filter chain; firing Filter: 'SessionManagementFilter'
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.web.session.SessionManagementFilter - Requested session ID1nkvhmubnkz6h is invalid.
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /fooooooooo at position 6 of 7 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /fooooooooo at position 7 of 7 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/fooooooooo'; against '/applicationscaffold.html'
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /fooooooooo; Attributes: [hasRole('ROLE_USER')]
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@5f8d13b8, returned: -1
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
[INFO] org.springframework.security.access.AccessDeniedException: Access is denied
...
[INFO] 2012-12-17 13:41:07,506 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[http://127.0.0.1:8888/fooooooooo]
[INFO] 2012-12-17 13:41:07,506 [btpool0-0] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Calling Authentication entry point.
[INFO] 2012-12-17 13:41:07,506 [btpool0-0] DEBUG org.springframework.security.web.DefaultRedirectStrategy - Redirecting to 'http://127.0.0.1:8888/ApplicationScaffold.html'
[INFO] 2012-12-17 13:41:07,506 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
[INFO] 2012-12-17 13:41:07,506 [btpool0-0] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html at position 1 of 7 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.mortbay.jetty.servlet.HashSessionManager$Session:q0k5u6clocpc@1530548245. A new one will be created.
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html at position 2 of 7 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - pathInfo: both null (property equals)
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - queryString: both null (property equals)
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - requestURI: arg1=/fooooooooo; arg2=/ApplicationScaffold.html (property not equals)
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.HttpSessionRequestCache - saved request doesn't match
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html at position 3 of 7 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html at position 4 of 7 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: q0k5u6clocpc; Granted Authorities: ROLE_ANONYMOUS'
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html at position 5 of 7 in additional filter chain; firing Filter: 'SessionManagementFilter'
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html at position 6 of 7 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html at position 7 of 7 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/applicationscaffold.html'; against '/applicationscaffold.html'
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /ApplicationScaffold.html; Attributes: [permitAll]
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: q0k5u6clocpc; Granted Authorities: ROLE_ANONYMOUS
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@5f8d13b8, returned: 1
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Authorization successful
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - RunAsManager did not change Authentication object
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html reached end of additional filter chain; proceeding with original chain
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter - Opening JPA EntityManager in OpenEntityManagerInViewFilter
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.hibernate.impl.SessionImpl - opened session at timestamp: 13557480675
[INFO] 2012-12-17 13:41:07,545 [btpool0-0] DEBUG org.springframework.web.servlet.DispatcherServlet - DispatcherServlet with name 'securitytest' processing GET request for [/ApplicationScaffold.html]
[INFO] 2012-12-17 13:41:07,545 [btpool0-0] DEBUG org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - Looking up handler method for path /ApplicationScaffold.html
[INFO] 2012-12-17 13:41:07,545 [btpool0-0] DEBUG org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - Did not find handler method for [/ApplicationScaffold.html]
[INFO] 2012-12-17 13:41:07,545 [btpool0-0] DEBUG org.springframework.web.servlet.handler.SimpleUrlHandlerMapping - Matching patterns for request [/ApplicationScaffold.html] are [/**]
[INFO] 2012-12-17 13:41:07,545 [btpool0-0] DEBUG org.springframework.web.servlet.handler.SimpleUrlHandlerMapping - URI Template variables for request [/ApplicationScaffold.html] are {}
[INFO] 2012-12-17 13:41:07,545 [btpool0-0] DEBUG org.springframework.web.servlet.handler.SimpleUrlHandlerMapping - Mapping [/ApplicationScaffold.html] to HandlerExecutionChain with handler [org.springframework.web.servlet.resource.DefaultServletHttpRequestHandler@3e3bfa58] and 1 interceptor
[INFO] 2012-12-17 13:41:07,545 [btpool0-0] DEBUG org.springframework.web.servlet.DispatcherServlet - Last-Modified value for [/ApplicationScaffold.html] is: -1
[INFO] 2012-12-17 13:41:07,547 [btpool0-0] DEBUG org.springframework.web.servlet.DispatcherServlet - Null ModelAndView returned to DispatcherServlet with name 'securitytest': assuming HandlerAdapter completed request handling
[INFO] 2012-12-17 13:41:07,547 [btpool0-0] DEBUG org.springframework.web.servlet.DispatcherServlet - Successfully completed request
[INFO] 2012-12-17 13:41:07,547 [btpool0-0] DEBUG org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter - Closing JPA EntityManager in OpenEntityManagerInViewFilter
[INFO] 2012-12-17 13:41:07,547 [btpool0-0] DEBUG org.springframework.orm.jpa.EntityManagerFactoryUtils - Closing JPA EntityManager
[INFO] 2012-12-17 13:41:07,547 [btpool0-0] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Chain processed normally
[INFO] 2012-12-17 13:41:07,547 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
[INFO] 2012-12-17 13:41:07,547 [btpool0-0] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
[INFO] 2012-12-17 13:41:07,583 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html at position 1 of 7 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
[INFO] 2012-12-17 13:41:07,583 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
[INFO] 2012-12-17 13:41:07,583 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.mortbay.jetty.servlet.HashSessionManager$Session:q0k5u6clocpc@1530548245. A new one will be created.
[INFO] 2012-12-17 13:41:07,583 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html at position 2 of 7 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
[INFO] 2012-12-17 13:41:07,583 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - pathInfo: both null (property equals)
[INFO] 2012-12-17 13:41:07,583 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - queryString: both null (property equals)
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - requestURI: arg1=/fooooooooo; arg2=/applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html (property not equals)
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.HttpSessionRequestCache - saved request doesn't match
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html at position 3 of 7 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html at position 4 of 7 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: q0k5u6clocpc; Granted Authorities: ROLE_ANONYMOUS'
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html at position 5 of 7 in additional filter chain; firing Filter: 'SessionManagementFilter'
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html at position 6 of 7 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html at position 7 of 7 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/applicationscaffold/c142d67e9948229be2b28e2a99e7c59a.cache.html'; against '/applicationscaffold.html'
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html; Attributes: [hasRole('ROLE_USER')]
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: q0k5u6clocpc; Granted Authorities: ROLE_ANONYMOUS
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@5f8d13b8, returned: -1
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
[INFO] org.springframework.security.access.AccessDeniedException: Access is denied
解决方案 Pure GWT solution:
- Do not use
http
element at all (http tag from config namespace)
- Define your AuthenticationRpcService
- Add AuthenticationRpcService.authenticate(user,password) method
- Inject into AuthenticationServiceImpl AuthenticationProvider bean from security-context.xml
Implement AuthenticationRpcService.authenticate(user,password) as :
User user = new User(login, password, true, true, true, true, new ArrayList<GrantedAuthority>());
Authentication auth = new UsernamePasswordAuthenticationToken(user, password,
new ArrayList<GrantedAuthority>());
try {
auth = this.authenticationProvider.authenticate(auth);
} catch (BadCredentialsException e) {
throw new ClientSideBadCredentialsException(e.getMessage(), e);
}
SecurityContext sc = new SecurityContextImpl();
sc.setAuthentication(auth);
SecurityContextHolder.setContext(sc);
Ensure that spring security filter chain is executed during processing of each your GWT RPC call (to be sure that SecurityContext populated into SecurityContextHolder).
- Secure all business services with @RolesAllowed({ "ADMIN_ROLE", "USER_ROLE" }) annotations
- Prepare your own ClientSideAcessDeniedException that can be used on client side
- In a case of spring AcessDeniedException propogate ClientSideAcessDeniedException to client side
- On client side set up UncaughtExceptionHandler via GWT.setUncaughtExceptionHandler
- In UncaughtExceptionHandler detect CustomAcessDeniedException and then show error to user.
这篇关于GWT Spring Security集成(PURE GWT,无JSP)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!