我想对SpringSecurity使用基于XML的配置。第一个想法是对用户密码使用SHA-256或任何其他哈希函数。我找不到用纯Java解决此问题的好方法,因此我开始在xml中配置内容。这就是开始变得有趣的时候了。
我的配置:
spring-security.xml:
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jdbc="http://www.springframework.org/schema/jdbc" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd> <http pattern="/css/**" security="none"/> <http pattern="/login.html*" security="none"/> <http> <intercept-url pattern="/**" access="ROLE_USER" /> <form-login login-page='/login.html'/> </http> <authentication-manager> <authentication-provider> <user-service> <user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN"/> <user name="bob" password="bob" authorities="ROLE_USER"/> </user-service> </authentication-provider> </authentication-manager> </beans:beans>
我将xml文件加载到public static void main可以在其中找到的类中:
public static void main
@Configuration @ComponentScan @EnableAutoConfiguration @Order(HIGHEST_PRECEDENCE) @ImportResource({ "/spring-security.xml" }) public class PhrobeBootApplication extends SpringBootServletInitializer { ... }
但是我在任何页面加载时都遇到以下异常:
[ERROR] org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/].[dispatcherServlet] - Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext ...
因此,似乎resources/WEB- INF/web.xml无法加载from的配置,如果我对文档有很好的了解,则应该在仅使用纯弹簧而没有引导的情况下使用它。(应配置过滤器)。我对吗?
resources/WEB- INF/web.xml
为什么会发生此错误?在spring-boot中,是否有更好的方法将基于xml的配置用于spring- security?web.xml甚至可以由tomcat加载吗?
根据 Dave Syer 在最新版的Spring Boot中的声明,配置Spring安全性的最佳方法是使用Java配置。
我需要一个SHA-256编码器,但是我没有找到任何简单而又好的实现方案。您只需要使用passwordEncoder配置jdbcAuthentication。这真的很简单:
@EnableWebSecurity public class SpringSecurityConfigurer extends WebMvcConfigurerAdapter { @Override public void addViewControllers(ViewControllerRegistry registry) { registry.addViewController("/login").setViewName("login"); } @Bean public ApplicationSecurity applicationSecurity() { return new ApplicationSecurity(); } @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter { @Autowired private SecurityProperties security; @Autowired private DataSource dataSource; @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/css/**").permitAll().anyRequest().fullyAuthenticated() .and().formLogin().loginPage("/login").failureUrl("/login?error").permitAll() .and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login"); } PasswordEncoder sha256PasswordEncoder = new PasswordEncoder() { @Override public String encode(CharSequence rawPassword) { return Hashing.sha256().hashString(rawPassword, Charsets.UTF_8).toString(); } @Override public boolean matches(CharSequence rawPassword, String encodedPassword) { return encodedPassword.equals(Hashing.sha256().hashString(rawPassword, Charsets.UTF_8).toString()); } }; @Override public void configure(AuthenticationManagerBuilder auth) throws Exception { auth.jdbcAuthentication() .dataSource(this.dataSource) .passwordEncoder(sha256PasswordEncoder); } } }
