1. 首頁
  2. 問答
  3. 爲什麼過濾鏈從不被調用?

爲什麼過濾鏈從不被調用?

2016-12-01 53 views
1

我目前正在從一個應用程序池訪問的Web應用程序。基本上,該池提供了一組指向每個應用程序的鏈接,通過一個標識以前登錄用戶的密鑰。爲什麼過濾鏈從不被調用?

有問題的應用程序應使用給定的標記(可能來自任何請求url)授權用戶,將用戶存儲到spring安全上下文中並處理控制器。發生這種情況的原因是,彈簧安全過濾器未被調用,控制器正在返回到500而不是403

我嘗試了一些東西,並最終自定義入口點轉發到自定義UsernamePasswordAuthenticationFilter回顧用戶,然後自定義AuthenticationProvider應授權retrived用戶,但我敢肯定這不是最好的方法。

SecurityConfig.java

@Configuration 
@EnableWebSecurity 
@EnableGlobalMethodSecurity(securedEnabled = true) 
public class SecurityConfig extends WebSecurityConfigurerAdapter { 

    @Autowired 
    private SwgenAuthFilter swgenAuthFilter; 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     http.httpBasic() 
      .and() 
       .authorizeRequests() 
       .anyRequest() 
       .authenticated() 
      .and() 
       .exceptionHandling() 
       .accessDeniedPage("/403") 
       .authenticationEntryPoint(new SwgenEntryPoint()) 
      .and() 
       .addFilter(swgenAuthFilter); 
    } 

    @Override 
    public void configure(WebSecurity web) throws Exception { 
     web.ignoring().antMatchers("/static/**"); 
    } 

    @Bean 
    @Override 
    public AuthenticationManager authenticationManagerBean() throws Exception { 
     return new ProviderManager(Arrays.asList(new SwgenAuthProvider())); 
    } 

}

SwgenEntryPoint.java

public class SwgenEntryPoint implements AuthenticationEntryPoint { 

    @Override 
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) 
      throws IOException, ServletException { 
     RequestDispatcher dispatcher = request.getRequestDispatcher("/login"); 

     dispatcher.forward(request, response); 

     return; 
    } 

}

SwgenAuthFilter.java

@Component 
public class SwgenAuthFilter extends UsernamePasswordAuthenticationFilter { 

    @Autowired 
    private SecurityProvider securityProvider; 

    @Override 
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException { 
     try { 
      User user = securityProvider.getUser(request, response); 
      return new UsernamePasswordAuthenticationToken(user, null); 
     } catch (Exception e) { 
      throw new AuthenticationServiceException("Eccezione scatenata durante l'autenticazione", e); 
     } 
    } 

    @Override 
    @Autowired 
    public void setAuthenticationManager(AuthenticationManager authenticationManager) { 
     super.setAuthenticationManager(authenticationManager); 
    } 

}

HomeController.java

@Controller 
public class HomeController { 

    static final private Logger logger = Logger.getLogger(HomeController.class); 

    @Secured({Role.ADMIN, Role.REGIONE}) 
    @RequestMapping(value = "/home") 
    public String home(Model model, HttpServletRequest request) { 
     // get user from SpringContextHolder 
     User utente = Utils.getUser(); 

     if(utente != null) { 
      logger.info("User correctly authenticated") 
     } 

     return "home"; 
    } 
}

堆棧跟蹤

2016-12-01 12::03:07.343 DEBUG [org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor] Secure object: ReflectiveMethodInvocation: public java.lang.String it.regioneveneto.sanita.progettobase.controller.HomeController.home(org.springframework.ui.Model,javax.servlet.http.HttpServletRequest); target is of class [it.regioneveneto.sanita.progettobase.controller.HomeController]; Attributes: [ROLE_MRA_ADMIN, ROLE_MRA_REGIONE, ROLE_MRA_ULSS] 
dic 01, 2016 12:03:07 PM org.apache.catalina.core.StandardWrapperValve invoke 
GRAVE: Servlet.service() for servlet [dispatcher] in context with path [/mra_auac] threw exception [Request processing failed; nested exception is org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext] with root cause 
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext 
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:379) 
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:223) 
    at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:65) 
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) 
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:655) 
    at it.regioneveneto.sanita.progettobase.controller.HomeController$$EnhancerBySpringCGLIB$$8c44d861.home(<generated>) 
    ...

Spring MVC的:4.3.4.RELEASE

春季安全:4.2.0.RELEASE

編輯:

的web.xml

<?xml version="1.0" encoding="UTF-8"?> 
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" 
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"> 

    <display-name>mra_auac</display-name> 
    <description>MRA-AuAc</description> 

    <context-param> 
     <param-name>contextClass</param-name> 
     <param-value> 
      org.springframework.web.context.support.AnnotationConfigWebApplicationContext 
     </param-value> 
    </context-param> 

    <context-param> 
     <param-name>contextConfigLocation</param-name> 
     <param-value>it.regioneveneto.sanita.progettobase.configuration.AppConfig</param-value> 
    </context-param> 

    <listener> 
     <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 
    </listener> 

    <servlet> 
     <servlet-name>dispatcher</servlet-name> 
     <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> 
     <init-param> 
      <param-name>contextClass</param-name> 
      <param-value>org.springframework.web.context.support.AnnotationConfigWebApplicationContext</param-value> 
     </init-param> 
     <init-param> 
      <param-name>contextConfigLocation</param-name> 
      <param-value> 
       it.regioneveneto.sanita.progettobase.configuration.HibernateConfig, 
       it.regioneveneto.sanita.progettobase.configuration.security.SecurityConfig 
      </param-value> 
     </init-param> 
     <multipart-config> 
      <max-file-size>20971520</max-file-size><!--20MB --> 
      <max-request-size>20971520</max-request-size><!--20MB --> 
      <file-size-threshold>0</file-size-threshold> 
     </multipart-config> 
    </servlet> 

    <servlet-mapping> 
     <servlet-name>dispatcher</servlet-name> 
     <url-pattern>/</url-pattern> 
    </servlet-mapping> 
    <error-page> 
     <error-code>404</error-code> 
     <location>/404.htm</location> 
    </error-page> 
    <error-page> 
     <error-code>500</error-code> 
     <location>/500.htm</location> 
    </error-page> 

    <session-config> 
     <session-timeout>60</session-timeout> 
    </session-config> 

</web-app>

來源

2016-12-01 Bro

回答

0

由於shazin指出你的web.xml小姐到springSecurityFilterChain參考。你可以做到這一點無論是他的方式是使用XML格式的Spring Documentation報道:

<filter> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <filter-class> 
    org.springframework.web.filter.DelegatingFilterProxy 
    </filter-class> 
</filter> 

<filter-mapping> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <url-pattern>/*</url-pattern> 
    <dispatcher>ERROR</dispatcher> 
    <dispatcher>REQUEST</dispatcher> 
</filter-mapping>

通過在項目中的類,它擴展AbstractSecurityWebApplicationInitializer這樣的:

public class SecurityWebApplicationInitializer 
    extends AbstractSecurityWebApplicationInitializer {}

然後,如果你想要從你的web.xml減少一些代碼,你可以很容易地通過來代替

<init-param> 
    <param-name>contextConfigLocation</param-name> 
    <param-value> 
     it.regioneveneto.sanita.progettobase.configuration.HibernateConfig, 
     it.regioneveneto.sanita.progettobase.configuration.security.SecurityConfig 
    </param-value> 
</init-param>

註釋類AppConfig有:

@Import({ SecurityConfig.class, HibernateConfig.class }) //remember to import them

來源

2016-12-05 14:08:17

1

你的web.xml中沒有指定的springSecurityFilterChain過濾器。

<filter> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <filter-class>org.springframework.web.filter.DelegatingProxyFilter</filter-class> 
</filter> 

<filter-mapping> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <url-pattern>/</url-pattern> 
</filter-mapping>

來源

2016-12-05 08:01:07 shazin

+0

這解決了問題,但在另一個項目中,使用Spring'4.2.5.RELEASE'和春季安全'4.0.4.RELEASE'和相同的配置,我不需要在web.xml中添加'springSecurityFilterChain'。什麼改變了? – Bro

相關問題

 相關問題