无法让Spring Security工作

Question

我是Spring Security的新手，所以我可能会错过某些东西。我有一个Spring应用程序，该应用程序使用我希望使用Spring Security来保护的WebApplication来启动一个Jetty。该webapp正在运行并可以访问，但不受限制。我尝试了很多东西，但没有任何工作，所以我把它分解为一个最小的设置，但仍然没有机会。 web应用程序由以下Java配置配置：

@EnableWebMvc 
@Configuration 
@Import(SecurityConfiguration.class) 
@ComponentScan(useDefaultFilters = false, basePackages = { "myapp.web" }, includeFilters = { @ComponentScan.Filter(Controller.class) }) 
public class SpringMvcConfiguration extends WebMvcConfigurerAdapter { 
    /** 
    * Allow the default servlet to serve static files from the webapp root. 
    */ 
    @Override 
    public void configureDefaultServletHandling(DefaultServletHandlerConfigurer configurer) { 
     configurer.enable(); 
    } 
} 

和Spring安全以下配置：

@Configuration 
@EnableWebSecurity 
public class SecurityConfiguration extends WebSecurityConfigurerAdapter { 

    @Autowired 
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { 
     auth 
     .inMemoryAuthentication() 
     .withUser("user") 
     .password("password") 
     .roles("ADMIN") 
     .authorities("ADMIN"); 
    } 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     http 
     .authorizeRequests() 
     .anyRequest() 
     .hasAuthority("ADMIN"); 
    } 
} 

和一些控制是这样的：

@Controller 
public class SecuredController { 

    @RequestMapping(value = "/secure", method = RequestMethod.GET) 
    @ResponseBody 
    public String secured() { 
     return "you should not see this unless you provide authentication"; 
    } 
} 

一切始于了所有的权利，日志告诉我，控制器映射...

[2014-10-01 20:21:29,538, INFO ] [main] mvc.method.annotation.RequestMappingHandlerMapping:197 - Mapped "{[/secure],methods=[GET],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String myapp.web.SecuredController.secured() 

...和安全到位，以及...

[2014-10-01 20:21:30,298, INFO ] [main] gframework.security.web.DefaultSecurityFilterChain:28 - Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@352c308, org.springframework.security.web.context.SecurityContextPersistenceFilter@2af616d3, org.springframework.security.web.header.HeaderWriterFilter@1a2e2935, org.springframework.security.web.csrf.CsrfFilter@64f857e7, org.springframework.security.web.authentication.logout.LogoutFilter@bc57b40, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@3deb2326, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@7889a1ac, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@7d373bcf, org.springframework.security.web.session.SessionManagementFilter@5922ae77, org.springframework.security.web.access.ExceptionTranslationFilter@7e1a1da6, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@1051817b] 

...但/secure URL我的控制器是无条件地到达。我究竟做错了什么？

ps。我想避免xml配置

Answer 1

为了将Spring Security与Spring MVC集成，您必须使用@EnableWebMvcSecurity注释，而不是类中的@EnableWebSecurity。

Answer 2

我算了一下，我不得不在春季安全配置的初始化移动到根上下文，而不是调度员servlet上下文，并添加以下行，其中配置我的嵌入式码头的背景：

context.addFilter(new FilterHolder(new DelegatingFilterProxy("springSecurityFilterChain")), "/*", EnumSet.allOf(DispatcherType.class));