Spring 用于保护无需编码的简单页面的安全 4 在 Tomcat 中不起作用
Spring Security 4 to secure simple page without coding not working in Tomcat
我做了一个简单的项目,使用 Spring 安全来保护一个简单的页面。
您可以从 here 下载项目。
这是我的 web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app metadata-complete="true" version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name>Spring Security Example</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring-security.xml</param-value>
</context-param>
<filter>
<description>Spring Security filter</description>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>*.html</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
</web-app>
和spring-security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<!--chnage enabled to activate funtionality,-->
<global-method-security pre-post-annotations="disabled" secured-annotations="disabled" jsr250-annotations="disabled"/>
<http pattern="/favicon.ico" security="none"/>
<http use-expressions="true" disable-url-rewriting="true" create-session="always" auto-config="false">
<intercept-url pattern="/login" access="permitAll" requires-channel="any"/>
<intercept-url pattern="/logout" access="permitAll" requires-channel="any"/>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" requires-channel="any"/>
<form-login/>
<http-basic />
<logout />
<session-management session-fixation-protection="migrateSession"/>
<csrf disabled="true"/>
<headers>
<cache-control/>
<content-type-options/>
<frame-options/>
<hsts disabled="true"/>
<xss-protection/>
</headers>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<password-encoder hash="plaintext"/>
<user-service>
<user name="john" password="smith" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Maven环境下,运行:
mvn jetty:run
一切顺利。
当我打包并放入 Tomcat 8/9 时,它只是 HTTP 404。
请删除默认的 servlet 映射。它将起作用。
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>*.css</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>*.js</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>*.gif</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>*.jpg</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>*.png</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>*.html</url-pattern>
</servlet-mapping>
我做了一个简单的项目,使用 Spring 安全来保护一个简单的页面。
您可以从 here 下载项目。
这是我的 web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app metadata-complete="true" version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name>Spring Security Example</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring-security.xml</param-value>
</context-param>
<filter>
<description>Spring Security filter</description>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>*.html</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
</web-app>
和spring-security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<!--chnage enabled to activate funtionality,-->
<global-method-security pre-post-annotations="disabled" secured-annotations="disabled" jsr250-annotations="disabled"/>
<http pattern="/favicon.ico" security="none"/>
<http use-expressions="true" disable-url-rewriting="true" create-session="always" auto-config="false">
<intercept-url pattern="/login" access="permitAll" requires-channel="any"/>
<intercept-url pattern="/logout" access="permitAll" requires-channel="any"/>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" requires-channel="any"/>
<form-login/>
<http-basic />
<logout />
<session-management session-fixation-protection="migrateSession"/>
<csrf disabled="true"/>
<headers>
<cache-control/>
<content-type-options/>
<frame-options/>
<hsts disabled="true"/>
<xss-protection/>
</headers>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<password-encoder hash="plaintext"/>
<user-service>
<user name="john" password="smith" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Maven环境下,运行:
mvn jetty:run
一切顺利。
当我打包并放入 Tomcat 8/9 时,它只是 HTTP 404。
请删除默认的 servlet 映射。它将起作用。
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>*.css</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>*.js</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>*.gif</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>*.jpg</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>*.png</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>*.html</url-pattern>
</servlet-mapping>