我试过在Spring论坛上提出这个问题( forum.springsource/showthread.php?109948-Problem-configuring-spring-security-3.1-with-hybrid-Spring-MVC-Flex-application ),但没有得到响应。
我正在开发一个Web应用程序,该应用程序有一个内置在Flex中的(最终用户)用户界面和一个管理用户界面使用Spring MVC构建。我试图保证这两个接口,并可以让每个单独工作,但不能在一起。
我正在使用spring-flex-core 1.5的快照构建。 0与Spring Security 3.1RC1和Spring 3.1M1 $ p $ <?xml version =1.0encoding =UTF-8 ?> < beans xmlns =www.springframework/schema/beans xmlns:xsi =www.w3/2001/XMLSchema-instance xmlns:security =www.springframework/schema/security xsi:schemaLocation =www.springframework/schema/beans http:// www。 springframework/schema/beans/spring-beans-2.5.xsd www.springframework/schema/security www.springframework/schema/security/spring-security- 3.1.xsd> <! - 所有与Spring Security相关的配置都在这里 - > < security:global-method-security secured-annotations =enabledjsr250-annotations =enabled/> < security:http pattern =/ messagebroker / **entry-point-ref =entryPoint> < security:anonymous enabled =false/> < / security:http> < bean id =entryPointclass =org.springframework.flex.security3.FlexAuthenticationEntryPoint/> < security:http pattern =/ favicon.icosecurity =none/> < security:http pattern =/ login *security =none/> < security:http pattern =/ logoutSuccess *security =none/> < security:http pattern =/ apollo / css / **security =none/> < security:http pattern =/ apollo / js / **security =none/> < security:http pattern =/ apollo / img / **security =none/> < security:http pattern =/ common / css / **security =none/> < security:http pattern =/ common / js / **security =none/> < security:http pattern =/ common / img / **security =none/> < security:http pattern =/ MoneyManager.swfsecurity =none/> < security:http pattern =/ assets / **security =none/> < security:http pattern =/ index.jspsecurity =none/> < security:http servlet-api-provision =true> < security:intercept-url pattern =/ cms / *access =ROLE_ADMIN/> < security:intercept-url pattern =/ cms / users / *access =ROLE_ADMIN,ROLE_USER_MANAGER/> < security:intercept-url pattern =/ cms / content / *access =ROLE_ADMIN,ROLE_CONTENT_MANAGER/> < security:intercept-url pattern =/ **access =ROLE_USER,ROLE_ADMIN/> < security:form-login login-page =/ login.htmldefault-target-url =/ home.html always-use-default-target = falseauthentication-failure-url =/ login.html/> < security:remember-me /> < security:logout logout-url =/ logoutlogout-success-url =/ default.html/> < / security:http> < bean id =successfulLogInListenerclass =uk.co.ecube.web.security.SuccessfulLogInListener/> < bean id =failedLogInListenerclass =uk.co.ecube.web.security.FailedLogInListener/> < security:authentication-manager> < security:authentication-provider user-service-ref ='userService'/> < / security:authentication-manager> < / beans>
如果我只包含没有模式属性的第一个http标签,那么flex用户界面显示成功验证春天的安全。然而,如果我包含所有< http> 标签,那么根据我是否使用
< security:http entry-point-ref =entryPoint> < security:anonymous enabled =false/> < / security:http>给出 SEVERE:异常发送上下文初始化事件到类的监听器实例org.springframework.web.context.ContextLoaderListener org.springframework.beans.factory.parsing.BeanDefinitionParsingException:配置问题:已经过滤器链映射包含这个请求匹配器[root bean:class [org.springframework.security.web.util.AnyRequestMatcher];范围=;抽象= FALSE; lazyInit = FALSE; autowireMode = 0; dependencyCheck = 0; autowireCandidate = TRUE;初级= FALSE; factoryBeanName = NULL; factoryMethodName = NULL; initMethodName = NULL; destroyMethodName =空]。如果您使用多个< http>命名空间元素,您必须使用模式属性来定义它们所应用的请求模式。
或
< security:http pattern =/ messagebroker / **entry-point-ref =entryPoint> < security:anonymous enabled =false/> < / security:http>结果是
SEVERE:Servlet / apollo抛出load()异常 org.springframework.beans.factory.NoSuchBeanDefinitionException:没有唯一的bean类型[org.springframework.security.web.authentication.session.SessionAuthenticationStrategy]定义:预期单个匹配的bean,但发现2:[org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy#0,org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy#1] at org .springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:796)m显然缺少了一些东西,但Spring Flex文档描述了如何在servlet级别配置混合MVC + Flex应用程序,似乎只考虑了从仅限于flex的应用程序角度考虑的安全性。
任何人都可以建议我什么'm做错了吗? 感谢 Dave
-xml prettyprint-override> < listener> < listener-class> org.springframework.web.context.ContextLoaderListener< / listener-class> < / listener> < servlet> < servlet-name> flex< / servlet-name> < servlet-class> org.springframework.web.servlet.DispatcherServlet< / servlet-class> <加载启动> 1< /加载启动> < / servlet> < servlet-mapping> < servlet-name> flex< / servlet-name> < url-pattern> / messagebroker / *< / url-pattern> < / servlet-mapping> < servlet> < servlet-name> spring-mvc< / servlet-name> < servlet-class> org.springframework.web.servlet.DispatcherServlet< / servlet-class> <加载启动> 1< /加载启动> < / servlet> < servlet-mapping> < servlet-name> spring-mvc< / servlet-name> < url-pattern> / spring / *< / url-pattern> < / servlet-mapping>
您还需要更新您的安全配置,方法是将MVC路径修改为 / spring /...
我几乎可以肯定的是,当您使用SpringDS而不是BlazeDS时,这不是最好的解决方案。有一个更好的方法!
您也可以尝试删除:
< security:http pattern =/ messagebroker / **entry-point-ref =entryPoint> < security:anonymous enabled =false/> < / security:http>而不是那个尝试使用这个:
< flex:message-broker mapping-order =1>I tried asking this on the Spring forums ( forum.springsource/showthread.php?109948-Problem-configuring-spring-security-3.1-with-hybrid-Spring-MVC-Flex-application ) but did not get a response.
I'm working on a web application that has an (end user) user interface built in Flex and a management user interface built using Spring MVC. I'm trying to secure both interfaces and can get each one working separately, but not together.
I'm using a snapshot build of spring-flex-core 1.5.0 with Spring Security 3.1RC1 and Spring 3.1M1
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="www.springframework/schema/beans" xmlns:xsi="www.w3/2001/XMLSchema-instance" xmlns:security="www.springframework/schema/security" xsi:schemaLocation="www.springframework/schema/beans www.springframework/schema/beans/spring-beans-2.5.xsd www.springframework/schema/security www.springframework/schema/security/spring-security-3.1.xsd"> <!-- All Spring Security related configuration goes here --> <security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/> <security:http pattern="/messagebroker/**" entry-point-ref="entryPoint"> <security:anonymous enabled="false"/> </security:http> <bean id="entryPoint" class="org.springframework.flex.security3.FlexAuthenticationEntryPoint"/> <security:http pattern="/favicon.ico" security="none"/> <security:http pattern="/login*" security="none"/> <security:http pattern="/logoutSuccess*" security="none"/> <security:http pattern="/apollo/css/**" security="none"/> <security:http pattern="/apollo/js/**" security="none"/> <security:http pattern="/apollo/img/**" security="none"/> <security:http pattern="/common/css/**" security="none"/> <security:http pattern="/common/js/**" security="none"/> <security:http pattern="/common/img/**" security="none"/> <security:http pattern="/MoneyManager.swf" security="none"/> <security:http pattern="/assets/**" security="none"/> <security:http pattern="/index.jsp" security="none"/> <security:http servlet-api-provision="true"> <security:intercept-url pattern="/cms/*" access="ROLE_ADMIN"/> <security:intercept-url pattern="/cms/users/*" access="ROLE_ADMIN,ROLE_USER_MANAGER"/> <security:intercept-url pattern="/cms/content/*" access="ROLE_ADMIN,ROLE_CONTENT_MANAGER"/> <security:intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" /> <security:form-login login-page="/login.html" default-target-url="/home.html" always-use-default-target="false" authentication-failure-url="/login.html"/> <security:remember-me/> <security:logout logout-url="/logout" logout-success-url="/default.html" /> </security:http> <bean id="successfulLogInListener" class="uk.co.ecube.web.security.SuccessfulLogInListener"/> <bean id="failedLogInListener" class="uk.co.ecube.web.security.FailedLogInListener"/> <security:authentication-manager> <security:authentication-provider user-service-ref='userService'/> </security:authentication-manager> </beans>If I include only the first http tag without the pattern attribute then the flex UI appears to authenticate successfully using Spring security. However if I include all the <http> tags then I get one of two errors depending on whether I use
<security:http entry-point-ref="entryPoint"> <security:anonymous enabled="false"/> </security:http>which gives
SEVERE: Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: The filter chain map already contains this request matcher [Root bean: class [org.springframework.security.web.util.AnyRequestMatcher]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null]. If you are using multiple <http> namespace elements, you must use a 'pattern' attribute to define the request patterns to which they apply.or
<security:http pattern="/messagebroker/**" entry-point-ref="entryPoint"> <security:anonymous enabled="false"/> </security:http>which results in
SEVERE: Servlet /apollo threw load() exception org.springframework.beans.factory.NoSuchBeanDefinitionException: No unique bean of type [org.springframework.security.web.authentication.session.SessionAuthenticationStrategy] is defined: expected single matching bean but found 2: [org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy#0, org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy#1] at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:796)I'm obviously missing something but while the Spring Flex documentation describes how to configure a hybrid MVC+Flex application at the servlet level it appears to only consider security from the perspective of a flex-only application.
Can anyone suggest what I'm doing wrong?
thanks
Dave
解决方案One thing I've used before when dealing with the same issue was to have 2 separate DispatcherServlets:
<listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <servlet> <servlet-name>flex</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>flex</servlet-name> <url-pattern>/messagebroker/*</url-pattern> </servlet-mapping> <servlet> <servlet-name>spring-mvc</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>spring-mvc</servlet-name> <url-pattern>/spring/*</url-pattern> </servlet-mapping>You also need to update your security configuration by modifying the MVC paths to /spring/...
I'm almost sure that this isn't the best solution when you use SpringDS instead of BlazeDS. There's gotta be a more optimal way!
You can also try to remove:
<security:http pattern="/messagebroker/**" entry-point-ref="entryPoint"> <security:anonymous enabled="false"/> </security:http>And instead of that try using this:
<flex:message-broker mapping-order="1"> <flex:mapping pattern="/messagebroker/*"/> <flex:message-service default-channels="amf, polling-amf, longpolling-amf" /> <flex:secured> <flex:secured-channel channel="amf" access="ROLE_SOME_ROLE" /> </flex:secured> </flex:message-broker>Keep in mind that the authentication should be done through the channelSet on the Flex client!
更多推荐
如何通过spring安全保护混合Spring MVC + Flex应用程序
发布评论