Spring Security 3.1.4 taglib 授权/身份验证不适用于 Tomcat 7 上 JSF 2.2 中的角色层次结构
Posted
技术标签:
【中文标题】Spring Security 3.1.4 taglib 授权/身份验证不适用于 Tomcat 7 上 JSF 2.2 中的角色层次结构【英文标题】:Spring Security 3.1.4 taglib authorize/authentication are not working with role hierarchy in JSF 2.2 on Tomcat 7 【发布时间】:2013-10-23 14:41:11 【问题描述】:对于通过 http 命名空间定义为拦截 URL 的 Web 安全表达式,但在使用 JSP Authorize taglib 的表达式中不考虑角色层次结构。
我已经读了很多东西了...ref1ref2ref3ref4ref5ref6
**** 编辑:**** Ref1 和 Ref6 提到了有关过滤器顺序和安全上下文问题的问题在 jsp 中不可用...(顺便说一句,我正在使用 jsf2)也许在那里是要挖的东西...
编辑 2: JSF 处理安全标签库吗?我读了this 并尝试that 没有成功
编辑 3::我尝试通过 Maven spring-faces 2.3.2 和 spring-security-taglibs 安装...没有任何反应...一些 tuto 说创建自定义 taglib.xml 但它也不起作用,我认为它适用于旧版本...
我测试了 facesContext.externalContext.isUserInRole('ROLE') 和 sec:authorize access="hasRole('Role')... 只有当它是相同的 ROLE 但它没有考虑层次结构的东西时才有效。 .. 和 sec: autorize 什么都不做,所有的角色都被打印出来了。
请参阅上面的示例,其中包含具有 ROLE ROLE_ADMIN_PROFILER_NGS 的用户:
<h:outputText rendered="#facesContext.externalContext.isUserInRole('ROLE_ADMIN_PROFILER_NGS')" value ="ROLE_ADMIN_PROFILER_NGS"></h:outputText> // WORKS <br></br>
<h:outputText rendered="#facesContext.externalContext.isUserInRole('ROLE_GUEST')" value ="ROLE_GUEST"></h:outputText> // SHOULD APPEAR BUT NOTHING HAPPENS<br></br>
<h:outputText rendered="#facesContext.externalContext.isUserInRole('ROLE_ADMIN')" value ="ROLE_ADMIN"> // SHOULD NOT APPEAR AND THAT'S THE CASE</h:outputText><br></br>
/* ALL THE THREE NEXT ARE DISPLAYED WHITHOUT CONTROL AUTORIZATION.*/
<sec:authorize access="hasRole('ROLE_ADMIN_PROFILER_NGS')">ROLE_ADMIN_PROFILER_NGS<br></br></sec:authorize>
<sec:authorize access="hasRole('ROLE_GUEST')">ROLE_GUEST <br></br></sec:authorize>
<sec:authorize access="hasRole('ROLE_ADMIN')">ROLE_ADMIN <br></br></sec:authorize>
这是我尝试访问以使用角色层次结构进行测试的内容:
当用户只带有角色 GUEST...所有标签都显示...它们不会出现,只有 GUEST(参见底部的定义)应该出现:
<sec:authentication property="username" />
<sec:authorize access="hasRole('ROLE_BABAB')">BABA</sec:authorize>
<sec:authorize access="hasRole('ROLE_GUEST')">GUEST</sec:authorize>
<sec:authorize access="hasRole('ROLE_ADMIN')">ADMIN</sec:authorize>
这是我的安全配置:
<security:http auto-config="true" access-decision-manager-ref="accessDecisionManager" use-expressions="true" disable-url-rewriting="true">
<security:intercept-url pattern="/Participant/New/*" access="hasRole('ROLE_ADMIN')" />
<security:intercept-url pattern="/Home" access="hasRole('ROLE_GUEST')" />
<security:intercept-url pattern="/Login" access="hasRole('ROLE_ANONYMOUS')" />
<security:intercept-url pattern="/Login/Error" access="hasRole('ROLE_ANONYMOUS')" />
<security:form-login login-page="/Login" login-processing-url="/j_spring_security_check" authentication-failure-url="/Login/Error" default-target-url="/Home" />
<security:logout logout-url="/j_spring_security_logout" logout-success-url="/Home" delete-cookies="JSESSIONID" invalidate-session="true"/>
<security:anonymous/>
<security:expression-handler ref="defaultWebSecurityExpressionHandler" />
<security:session-management invalid-session-url="/Login" >
<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</security:session-management>
<security:port-mappings>
<security:port-mapping http="8086" https="8443"/>
</security:port-mappings>
</security:http>
<beans:bean id="defaultWebSecurityExpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
<beans:property name="roleHierarchy" ref="roleHierarchy"/>
</beans:bean>
<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<beans:property name="decisionVoters">
<beans:list>
<beans:ref bean="roleVoter" />
<beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
<beans:property name="expressionHandler" ref="defaultWebSecurityExpressionHandler"/>
</beans:bean>
<beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id="roleVoter" class="org.springframework.security.access.vote.RoleHierarchyVoter">
<beans:constructor-arg ref="roleHierarchy" />
</beans:bean>
<beans:bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
<beans:property name="hierarchy">
<beans:value>
ROLE_ADMIN > ROLE_ADMIN_PROFILER_NGS
ROLE_ADMIN_PROFILER_NGS > ROLE_GUEST
ROLE_GUEST > ROLE_GUEST_PROFILER_NGS
ROLE_ADMIN > ROLE_ADMIN_PROFILER_CGH
ROLE_ADMIN_PROFILER_CGH > ROLE_GUEST
ROLE_GUEST > ROLE_GUEST_PROFILER_CGH
</beans:value>
</beans:property>
</beans:bean>
非常感谢,如果您有其他想法可以测试,欢迎您...
编辑 3:
为什么 RoleHierarchyVoter 返回 0,WebExpressionVoter 返回 1...正常吗?
14:48:32,861 调试 FilterSecurityInterceptor:194 - 安全对象:FilterInvocation:URL:/Home;属性:[hasRole('ROLE_GUEST')] 14:48:32,861 DEBUG FilterSecurityInterceptor:310 - 先前认证:org.springframework.security.authentication.UsernamePasswordAuthenticationToken@43a64f5f:主体:com.clb.genomic.lyon.model.User@d46:用户名:jp;密码保护];启用:真; AccountNonExpired:真;凭据非过期:真; AccountNonLocked:真;授予权限:ROLE_ADMIN_PROFILER_NGS;凭证:[受保护];已认证:真实;详细信息:org.springframework.security.web.authentication.WebAuthenticationDetails@0:RemoteIpAddress:192.168.154.18;会话ID:084939D4E097F41ACA6A1F24CD8390BE;授予权限:ROLE_ADMIN_PROFILER_NGS 14:48:32,861 DEBUG RoleHierarchyImpl:117 - getReachableGrantedAuthorities() - 从角色 [ROLE_ADMIN_PROFILER_NGS] 可以通过零个或多个步骤到达 [ROLE_GUEST_PROFILER_NGS, ROLE_GUEST_PROFILER_CGH, ROLE_ADMIN_PROFILER_NGS, ROLE_GUEST]。 14:48:32,861 DEBUG AffirmativeBased:65 - 投票者:org.springframework.security.access.vote.RoleHierarchyVoter@6ff43d69,返回:0 14:48:32,862 DEBUG RoleHierarchyImpl:117 - getReachableGrantedAuthorities() - 从角色 [ROLE_ADMIN_PROFILER_NGS] 可以通过零个或多个步骤到达 [ROLE_GUEST_PROFILER_NGS, ROLE_GUEST_PROFILER_CGH, ROLE_ADMIN_PROFILER_NGS, ROLE_GUEST]。 14:48:32,862 DEBUG AffirmativeBased:65 - 投票者:org.springframework.security.web.access.expression.WebExpressionVoter@3fe932d5,返回:1 14:48:32,862 DEBUG FilterSecurityInterceptor:215 - 授权成功
编辑 5:
<beans:bean id="login" class="com.clb.genomic.lyon.beans.LoginBean" scope ="session">
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
> <security:authentication-manager alias="authenticationManager">
> <security:authentication-provider user-service-ref="userBo" >
> <security:password-encoder ref="standardPasswordEncoder"/>
> </security:authentication-provider>
> </security:authentication-manager>
【问题讨论】:
仍然坚持那个...我用 Google 搜索了将近两天...快疯了。 请帮帮我... [***.com/questions/23031265/…谢谢! [1]:***.com/questions/23031265/… 【参考方案1】:将 RoleHiarchy 设置在所有正确的位置可能非常具有挑战性。 Spring WebFlow 目前重新实现了许多功能(即it reimplements the taglibs,而不是从 Spring Security 的基本标签扩展而来),因此这种方法不太可能奏效。
与 JSF 无缝协作的另一种方法是创建一个 RoleHierarchyAuthoritiesMapper 并将其插入到您的 AuthenticationProvider 中。例如,以下配置应该为您提供您正在寻找的层次结构。
<security:http auto-config="true"
use-expressions="true"
disable-url-rewriting="true">
<security:intercept-url pattern="/Participant/New/*"
access="hasRole('ROLE_ADMIN')" />
<security:intercept-url pattern="/Home"
access="hasRole('ROLE_GUEST')" />
<security:intercept-url pattern="/Login"
access="hasRole('ROLE_ANONYMOUS')" />
<security:intercept-url pattern="/Login/Error"
access="hasRole('ROLE_ANONYMOUS')" />
<security:form-login login-page="/Login"
login-processing-url="/j_spring_security_check"
authentication-failure-url="/Login/Error" default-target-url="/Home" />
<security:logout logout-url="/j_spring_security_logout"
logout-success-url="/Home" delete-cookies="JSESSIONID"
invalidate-session="true" />
<security:anonymous />
<security:session-management invalid-session-url="/Login">
<security:concurrency-control max-sessions="1"
error-if-maximum-exceeded="true" />
</security:session-management>
<security:port-mappings>
<security:port-mapping http="8086" https="8443" />
</security:port-mappings>
</security:http>
<beans:bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService"/>
<beans:property name="authoritiesMapper">
<beans:bean class="org.springframework.security.access.hierarchicalroles.RoleHierarchyAuthoritiesMapper">
<beans:constructor-arg ref="roleHierarchy"/>
</beans:bean>
</beans:property>
<beans:property name="passwordEncoder">
<beans:bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"/>
</beans:property>
</beans:bean>
<beans:bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
<beans:property name="hierarchy">
<beans:value>
ROLE_ADMIN > ROLE_ADMIN_PROFILER_NGS
ROLE_ADMIN_PROFILER_NGS > ROLE_GUEST
ROLE_GUEST > ROLE_GUEST_PROFILER_NGS
ROLE_ADMIN > ROLE_ADMIN_PROFILER_CGH
ROLE_ADMIN_PROFILER_CGH > ROLE_GUEST
ROLE_GUEST > ROLE_GUEST_PROFILER_CGH
</beans:value>
</beans:property>
</beans:bean>
<security:user-service id="userDetailsService">
<security:user name="joe" password="bf403351dfb2ae819874163aff25a49c"
authorities="ROLE_ADMIN" />
<security:user name="pete" password="5d2ea1f70185e4357183bb9c00187219"
authorities="ROLE_ADMIN_PROFILER_CGH" />
</security:user-service>
另外一些亮点是我们不再需要以下 bean:
访问DecisionManager defaultWebSecurityExpressionHandler 角色投票者【讨论】:
当您使用身份验证管理器(连接到存储和加密密码的数据库)时,您如何进行更改,如我在上次编辑中所示。我实际上是在尝试将您解释的内容适应我的代码。如果你能给我一个推动,我将非常感激。如果我自己找到,我会给你一个回报。谢谢。 我放弃了,我花了很多时间在我的配置上插入 RoleHierarhyMapping,但没有成功。以上是关于Spring Security 3.1.4 taglib 授权/身份验证不适用于 Tomcat 7 上 JSF 2.2 中的角色层次结构的主要内容,如果未能解决你的问题,请参考以下文章
Spring Security 3.1.4:由于anonymousUser身份验证无法访问目标页面
Spring Security 3.1.4 taglib 授权/身份验证不适用于 Tomcat 7 上 JSF 2.2 中的角色层次结构
Spring security3.1.x session问题,求解
无法为会话序列化会话属性 SPRING_SECURITY_CONTEXT