在Spring 3.1 Java Config中引用Spring Security配置 [英] Referencing Spring Security configuration within Spring 3.1 Java Config
本文介绍了在Spring 3.1 Java Config中引用Spring Security配置的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我最近将Spring的大多数配置切换为在Spring 3.1中使用基于代码的配置。但是,现在我已经切换,我的Spring Security无法正常工作并在Tomcat启动时抛出以下错误:
I recently switched a majority of my Spring configuration to use the code based config in Spring 3.1. However, now that I've switched, my Spring Security is not working correctly and throws the following error on Tomcat startup:
SEVERE: Exception starting filter springSecurityFilterChain
org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'springSecurityFilterChain' is defined
我仍然在XML文件中有Spring Security,并且知道这不能在Spring中转换为Java配置,因为它是一个自定义命名空间,但是,我引用它在我的Java配置文件中。我还尝试将applicationContext-security.xml配置引用从Java配置移动到我的web.xml,没有任何运气。
I still have the Spring Security in an XML file, and know this can't be converted to Java config in Spring since it is a custom namespace, however, I am referencing it within my Java config file. I also tried moving the applicationContext-security.xml configuration reference from the Java config to my web.xml without any luck.
@Configuration
@EnableWebMvc
@Import(ServicesConfig.class)
@ImportResource({ "classpath:applicationContext-security.xml",
"classpath:dataSources.xml" })
@ComponentScan(basePackages = "com.foobar")
public class WebConfig {
// left out Beans for clarity
}
applicationContext-security.xml:
applicationContext-security.xml:
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c"
xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2.xsd">
<!-- Security configuration -->
<global-method-security pre-post-annotations="enabled" />
<http use-expressions="true" access-denied-page="/error/accessDenied"
entry-point-ref="casEntryPoint">
<intercept-url pattern="/**" access="isAuthenticated()" />
<custom-filter position="CAS_FILTER" ref="casFilter" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="casAuthenticationProvider" />
</authentication-manager>
<!-- Bean definitions -->
<b:bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider"
p:serviceProperties-ref="serviceProperties" p:key="1234"
p:authenticationUserDetailsService-ref="userDetailsByNameServiceWrapper"
p:ticketValidator-ref="cas20ServiceTicketValidator" />
<b:bean id="userDetailsByNameServiceWrapper"
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper"
c:userDetailsService-ref="userDetailsService" />
<b:bean id="userDetailsService" class="foobar.MyUserDetailsService" />
<b:bean id="cas20ServiceTicketValidator"
class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"
c:casServerUrlPrefix="https://mycasserver/cas" />
<b:bean id="casFilter"
class="org.springframework.security.cas.web.CasAuthenticationFilter"
p:authenticationManager-ref="authenticationManager" />
<b:bean id="casEntryPoint"
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"
p:loginUrl="https://mycasserver/cas/login"
p:serviceProperties-ref="serviceProperties" />
<b:bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties"
p:service="https://foobar.com/services/j_spring_cas_security_check"
p:sendRenew="false" />
</b:beans>
web.xml :
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<description>My App</description>
<!-- Context Params -->
<context-param>
<param-name>contextClass</param-name>
<param-value>
org.springframework.web.context.support.AnnotationConfigWebApplicationContext
</param-value>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>foobar.WebConfig</param-value>
</context-param>
<!-- Filters -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Listeners -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- Servlets -->
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextClass</param-name>
<param-value>
org.springframework.web.context.support.AnnotationConfigWebApplicationContext
</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
</web-app>
推荐答案
不要使用 security 命名空间快捷方式并将所有spring配置从XML迁移到Java。它将使您的安全性更加轻松。迁移到3.1后,我很快就会为我们的项目做这件事。
您可以找到非平凡的几乎普通的bean安全性XML配置示例此处。
Do not use security namespace shortcuts and migrate all spring configuration from XML to Java. It will make fine tuning of your security much easier. I'm going to do it for our project soon after migrating to 3.1.
You can find non-trivial almost plain-bean security XML config example here.
编辑:
完成配置(上面链接)迁移。故意将所有配置放入一个方法中以使其更短并且演示,每个过滤器不需要单独的spring bean。当然最好将复杂的init部分移动到单独的方法(如果需要,标记为 @Bean )。您可以在上面链接的 X509AnnotationTest.Config 中找到工作示例。
edit:
Finished config (linked above) migration. All config was put into one method deliberately to make it shorter and to demonstrate, that you don't need separate spring bean for every filter. Of course it's better to move complex init parts to separate methods (marked @Bean if necessary). You can find working example in the X509AnnotationTest.Config on the link above.
@Bean
public FilterChainProxy springSecurityFilterChain() throws Exception {
// AuthenticationEntryPoint
BasicAuthenticationEntryPoint entryPoint = new BasicAuthenticationEntryPoint();
entryPoint.setRealmName("AppName Realm");
// accessDecisionManager
List<AccessDecisionVoter> voters = Arrays.<AccessDecisionVoter>asList(new RoleVoter(), new WebExpressionVoter());
AccessDecisionManager accessDecisionManager = new AffirmativeBased(voters);
// SecurityExpressionHandler
SecurityExpressionHandler<FilterInvocation> securityExpressionHandler = new DefaultWebSecurityExpressionHandler();
// AuthenticationUserDetailsService
UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> authenticationUserDetailsService = new UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken>(authUserDetailService);
authenticationUserDetailsService.afterPropertiesSet();
// PreAuthenticatedAuthenticationProvider
PreAuthenticatedAuthenticationProvider preAuthenticatedAuthenticationProvider = new PreAuthenticatedAuthenticationProvider();
preAuthenticatedAuthenticationProvider.setPreAuthenticatedUserDetailsService(authenticationUserDetailsService);
preAuthenticatedAuthenticationProvider.afterPropertiesSet();
// AuthenticationManager
List<AuthenticationProvider> providers = Arrays.<AuthenticationProvider>asList(preAuthenticatedAuthenticationProvider);
AuthenticationManager authenticationManager = new ProviderManager(providers);
// HttpSessionSecurityContextRepository
HttpSessionSecurityContextRepository httpSessionSecurityContextRepository = new HttpSessionSecurityContextRepository();
// SessionRegistry
SessionRegistry sessionRegistry = new SessionRegistryImpl();
// ConcurrentSessionControlStrategy
ConcurrentSessionControlStrategy concurrentSessionControlStrategy = new ConcurrentSessionControlStrategy(sessionRegistry);
// ConcurrentSessionFilter
ConcurrentSessionFilter concurrentSessionFilter = new ConcurrentSessionFilter(sessionRegistry);
concurrentSessionFilter.afterPropertiesSet();
// SecurityContextPersistenceFilter
SecurityContextPersistenceFilter securityContextPersistenceFilter = new SecurityContextPersistenceFilter(httpSessionSecurityContextRepository);
// X509AuthenticationFilter
X509AuthenticationFilter x509AuthenticationFilter = new X509AuthenticationFilter();
x509AuthenticationFilter.setAuthenticationManager(authenticationManager);
x509AuthenticationFilter.afterPropertiesSet();
// RequestCacheAwareFilter
RequestCacheAwareFilter requestCacheAwareFilter = new RequestCacheAwareFilter();
// SecurityContextHolderAwareRequestFilter
SecurityContextHolderAwareRequestFilter securityContextHolderAwareRequestFilter = new SecurityContextHolderAwareRequestFilter();
// SessionManagementFilter
SessionManagementFilter sessionManagementFilter = new SessionManagementFilter(httpSessionSecurityContextRepository, concurrentSessionControlStrategy);
// ExceptionTranslationFilter
ExceptionTranslationFilter exceptionTranslationFilter = new ExceptionTranslationFilter(entryPoint);
exceptionTranslationFilter.setAccessDeniedHandler(new AccessDeniedHandlerImpl());
exceptionTranslationFilter.afterPropertiesSet();
// FilterSecurityInterceptor
FilterSecurityInterceptor filterSecurityInterceptor = new FilterSecurityInterceptor();
filterSecurityInterceptor.setAuthenticationManager(authenticationManager);
filterSecurityInterceptor.setAccessDecisionManager(accessDecisionManager);
LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>> map = new LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>>();
map.put(new AntPathRequestMatcher("/**"), Arrays.<ConfigAttribute>asList(new SecurityConfig("isAuthenticated()")));
ExpressionBasedFilterInvocationSecurityMetadataSource ms = new ExpressionBasedFilterInvocationSecurityMetadataSource(map, securityExpressionHandler);
filterSecurityInterceptor.setSecurityMetadataSource(ms);
filterSecurityInterceptor.afterPropertiesSet();
// SecurityFilterChain
SecurityFilterChain chain = new DefaultSecurityFilterChain(new AntPathRequestMatcher("/**"),
concurrentSessionFilter,
securityContextPersistenceFilter,
x509AuthenticationFilter,
requestCacheAwareFilter,
securityContextHolderAwareRequestFilter,
sessionManagementFilter,
exceptionTranslationFilter,
filterSecurityInterceptor);
return new FilterChainProxy(chain);
}
这篇关于在Spring 3.1 Java Config中引用Spring Security配置的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
