Spring Method Level Security在第二次调用时失败 [英] Spring Method Level Security fails on second call

问题描述

我想在我的GWT应用程序上使用方法级别的安全性。我试图使用Spring Security 3.1，因为我发现了一个工作示例这里，但它不使用表单登录。在阅读此答案之后方法调用成功获取SecurityContext，但在下一次调用之前清除它：

  [org.springframework.security.web.context .HttpSessionSecurityContextRepository] ​​ - 从SPRING_SECURITY_CONTEXT获得一个有效的SecurityContext：'org.springframework.security.core.context.SecurityContextImpl@6fe9f089：Authentication：org.example.MyAppName.server.auth.MyAppNameUserAuthentication@6fe9f089'
 ... 
 [org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor]  - 授权成功
 ... 
 [org.springframework.security.web.context.SecurityContextPersistenceFilter]  - 现在清除SecurityContextHolder，作为请求处理已完成
 ... 
 [org.springframework.security.web.context.HttpSessionSecurityContextRepository] ​​ -  SecurityCon文本为空或内容为匿名 - 上下文不会存储在HttpSession中。 
 [org.springframework.security.web.context.SecurityContextPersistenceFilter]  -  SecurityContextHolder现已被清除，因为请求处理已完成
 ... 
 [org.springframework.security.web.context.HttpSessionSecurityContextRepository] -  HttpSession为SPRING_SECURITY_CONTEXT返回null对象
  

第二个调用在用户日志

是否因为我遵循了其他的答案并删除了< http pattern =/ MyAppName / **security =none /> 并添加了< intercept-url pattern =/ MyAppName / **access =permitAll（）/> ？

我的过滤器如下：

 < http pattern = /favicon.icosecurity =none/> 
 
< http access-decision-manager-ref =accessDecisionManageruse-expressions =trueauto-config =falseentry-point-ref =LoginUrlAuthenticationEntryPoint> 
 < intercept-url pattern =/ Login.htmlaccess =permitAll（）/> 
< intercept-url pattern =/ Login2.htmlaccess =permitAll（）/> 
< intercept-url pattern =/ MyAppName / **access =permitAll（）/> 
< intercept-url pattern =/ **access =isAuthenticated（）/> 
< logout delete-cookies =JSESSIONIDlogout-success-url =/ Login.html/> 
 < / http> 
  

遵循我获得的示例，我使用AspectJ作为全局方法安全性，但如果我使用AspectJ可以得到这个工作：

 < global-method-security secured-annotations =enabledpre-post-annotations =启用mode =aspectjproxy-target-class =true> 
< expression-handler ref =expressionHandler/> 
< / global-method-security> 
  

感谢您花时间阅读这本

解决方案

这个问题已经解决了。

解决方案的最后一部分是移除使SecurityContextHolder为全局的请求。

如果您遇到同样的问题，可能会找到<一个href =http://forum.springsource.org/showthread.php?111996-Method-Level-Security-only-working-on-first-call =nofollow>这篇文章很有帮助。

I want to use method level security on my GWT application. I'm trying to use Spring Security 3.1, as I found a working example here, but it doesn't use form-login. After reading this answer the first method call successfully obtains the SecurityContext, but then clears it before the next call:

[org.springframework.security.web.context.HttpSessionSecurityContextRepository] - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@6fe9f089: Authentication: org.example.MyAppName.server.auth.MyAppNameUserAuthentication@6fe9f089'
...
[org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor] - Authorization successful
...
[org.springframework.security.web.context.SecurityContextPersistenceFilter] - SecurityContextHolder now cleared, as request processing completed
...
[org.springframework.security.web.context.HttpSessionSecurityContextRepository] - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
[org.springframework.security.web.context.SecurityContextPersistenceFilter] - SecurityContextHolder now cleared, as request processing completed
...
[org.springframework.security.web.context.HttpSessionSecurityContextRepository] - HttpSession returned null object for SPRING_SECURITY_CONTEXT

The second call happens straight after the first and just after the user logs in.

Is it because I followed the other answer and removed <http pattern="/MyAppName/**" security="none" /> and added <intercept-url pattern="/MyAppName/**" access="permitAll()" />?

My filters are as follows:

<http pattern="/favicon.ico" security="none" />

<http access-decision-manager-ref="accessDecisionManager" use-expressions="true" auto-config="false" entry-point-ref="LoginUrlAuthenticationEntryPoint">
  <form-login login-page="/Login.html" always-use-default-target="true" default-target-url="/Main.html?gwt.codesvr=127.0.0.1:9997" />
  <intercept-url pattern="/Login.html" access="permitAll()" />
  <intercept-url pattern="/Login2.html" access="permitAll()" />
  <intercept-url pattern="/MyAppName/**" access="permitAll()" />
  <intercept-url pattern="/**" access="isAuthenticated()" />
  <logout delete-cookies="JSESSIONID" logout-success-url="/Login.html" />
  <remember-me token-validity-seconds="86400" key="key" user-service-ref="userDetailsService" />
</http>

Following the example I obtained I use AspectJ for the global method security, but would not use it if I could get that working:

<global-method-security secured-annotations="enabled" pre-post-annotations="enabled" mode="aspectj" proxy-target-class="true" >
  <expression-handler ref="expressionHandler"/>
</global-method-security>

Thank you for taking the time to read this

Please let me know if more detail is needed.

解决方案

This problem has been solved.

The last part of the solution was to remove the request to make SecurityContextHolder global.

If you are having the same problem might find this post helpful.

这篇关于Spring Method Level Security在第二次调用时失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！