在Spring中创建安全页

Question

我使用Spring创建网站，并希望文件夹“/ admin”下的所有页面都安全。然而，不知道从哪里开始，只有一个复杂的例子可以继续。

在工作中，我们将详细信息存储在数据库中，但我希望它可以比这更简单，可能存储在context.xml或其他东西中？我面临这个页面：

的web.xml：

<security-constraint> 
    <display-name>admin pages</display-name> 
    <web-resource-collection> 
     <web-resource-name>Administration Pages</web-resource-name> 
     <description/> 
     <url-pattern>/admin/*</url-pattern> 
    </web-resource-collection> 
    <auth-constraint> 
     <description/> 
     <role-name>userAdmin</role-name> 
    </auth-constraint> 
    <!-- <user-data-constraint> 
     <description/> 
     <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
    </user-data-constraint>--> 
</security-constraint> 

和Tomcat的users.xml中我有以下的密码信息：

<user password="password" roles="tomcat,role1,manager-script,manager-gui,admin,manager" username="user"/> 

但是，当我尝试访问该页面/admin/adminindex.htm，我得到一个禁止的错误：

Access to the specified resource (Access to the requested resource has been denied) has been forbidden.

理想情况下，我想将用户详细信息存储在数据库中，但目前无法进行处理。

Answer 1

我会考虑Spring Security，它为保护网站（包括DB支持或JNDI支持的安全）提供了大量的选项。 tutorial可能是一个很好的起点。

Answer 2

This is how I secure applications using Spring Security, here is the web.xml 

<filter> 
     <filter-name>springSecurityFilterChain</filter-name> 
     <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
    </filter> 

    <filter-mapping> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <url-pattern>/*</url-pattern> 
    </filter-mapping> 

    <context-param> 
     <param-name>contextConfigLocation</param-name> 
     <param-value> 
      /WEB-INF/spring-servlet.xml 
      /WEB-INF/spring-security.xml 
     </param-value> 
    </context-param> 


    <servlet> 
     <servlet-name>spring</servlet-name> 
     <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> 
     <init-param> 
      <param-name>contextConfigLocation</param-name> 
      <param-value>/WEB-INF/spring-servlet.xml</param-value> 
     </init-param> 
     <load-on-startup>1</load-on-startup> 
    </servlet> 
    <servlet-mapping> 
     <servlet-name>spring</servlet-name> 
     <url-pattern>/myapp/*</url-pattern> 
    </servlet-mapping> 
    <listener> 
     <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 
    </listener> 



spring-security.xml 


    <security:http auto-config="true" use-expressions="true" access-denied-page="/" create-session="never" disable-url-rewriting="true"> 

    <security:intercept-url pattern="/myapp/auth/login" access="permitAll" /> 
    <security:intercept-url pattern="/myapp/main/**" access="hasRole('ROLE_USER')" /> 

    <security:form-login login-page="/" authentication-failure-url="/myapp/auth/login?error=true" default-target-url="/myapp/main/default"/> 
    <security:logout invalidate-session="true" logout-success-url="/myapp/auth/login" logout-url="/myapp/auth/logout" /> 

</security:http> 


In order to authenticate using a Database you can use an Authentication Manager like this in spring-security.xml 



<security:authentication-manager> 
     <security:authentication-provider user-service-ref="userService"> 
      <security:password-encoder ref="passwordEncoder" /> 
     </security:authentication-provider> 
    </security:authentication-manager> 

Where "userService" is a service you define that has access to the Database, your service must implement org.springframework.security.core.userdetails.UserDetailsService and write the method 


public UserDetails loadUserByUsername(String userName) 
     throws UsernameNotFoundException, DataAccessException { 
    UserDetails user = null; 
    try { 
     // Replace loadUserFromDB with your Data access method to pull the user and encrypted password from the database 
     Users u = loadUserFromDB(userName); 
     if(u != null) 
      user = new User(u.getEmail(), u.getPassword().toLowerCase(), true, true, true, true, getAuthorities(0)); 
    } catch (Exception e) { 
     e.printStackTrace(); 
    } 
    return user; 
} 


Spring security will use this method to secure your pages. Make sure to include this method: 


    public Collection<GrantedAuthority> getAuthorities(Integer access) { 
    // Create a list of grants for this user 
    List<GrantedAuthority> authList = new ArrayList<GrantedAuthority>(1); 
    authList.add(new GrantedAuthorityImpl("ROLE_USER")); 
    authList.add(new GrantedAuthorityImpl("ROLE_ANONYMOUS")); 
    return authList; 
    } 

Answer 3

我将这个开始：

http://docs.spring.io/autorepo/docs/spring-security/3.0.x/reference/springsecurity.html
您也可以看看这个项目已经有基本的代码开始使用Spring Security的

https://github.com/pgardunoc/spring-security