java Spring Method Level Security 在第二次调用时失败

声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow 原文地址: http://stackoverflow.com/questions/6653548/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me): StackOverFlow

提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-10-30 16:49:04  来源:igfitidea点击:

Spring Method Level Security fails on second call

javagwtspring-securitygwt-rpc

提问by WhiteKnight

I want to use method level security on my GWT application. I'm trying to use Spring Security 3.1, as I found a working example here, but it doesn't use form-login. After reading this answerthe first method call successfully obtains the SecurityContext, but then clears it before the next call:

我想在我的 GWT 应用程序上使用方法级别的安全性。我正在尝试使用 Spring Security 3.1,因为我在这里找到了一个工作示例,但它不使用表单登录。阅读此答案后,第一个方法调用成功获取 SecurityContext,但在下一次调用之前将其清除:

[org.springframework.security.web.context.HttpSessionSecurityContextRepository] - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@6fe9f089: Authentication: org.example.MyAppName.server.auth.MyAppNameUserAuthentication@6fe9f089'
...
[org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor] - Authorization successful
...
[org.springframework.security.web.context.SecurityContextPersistenceFilter] - SecurityContextHolder now cleared, as request processing completed
...
[org.springframework.security.web.context.HttpSessionSecurityContextRepository] - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
[org.springframework.security.web.context.SecurityContextPersistenceFilter] - SecurityContextHolder now cleared, as request processing completed
...
[org.springframework.security.web.context.HttpSessionSecurityContextRepository] - HttpSession returned null object for SPRING_SECURITY_CONTEXT

The second call happens straight after the first and just after the user logs in.

第二个调用发生在第一个调用之后,也就是在用户登录之后。

Is it because I followed the other answer and removed <http pattern="/MyAppName/**" security="none" />and added <intercept-url pattern="/MyAppName/**" access="permitAll()" />?

是不是因为我按照另一个答案删除<http pattern="/MyAppName/**" security="none" />并添加了<intercept-url pattern="/MyAppName/**" access="permitAll()" />

My filters are as follows:

我的过滤器如下:

<http pattern="/favicon.ico" security="none" />

<http access-decision-manager-ref="accessDecisionManager" use-expressions="true" auto-config="false" entry-point-ref="LoginUrlAuthenticationEntryPoint">
  <form-login login-page="/Login.html" always-use-default-target="true" default-target-url="/Main.html?gwt.codesvr=127.0.0.1:9997" />
  <intercept-url pattern="/Login.html" access="permitAll()" />
  <intercept-url pattern="/Login2.html" access="permitAll()" />
  <intercept-url pattern="/MyAppName/**" access="permitAll()" />
  <intercept-url pattern="/**" access="isAuthenticated()" />
  <logout delete-cookies="JSESSIONID" logout-success-url="/Login.html" />
  <remember-me token-validity-seconds="86400" key="key" user-service-ref="userDetailsService" />
</http>

Following the example I obtained I use AspectJ for the global method security, but would not use it if I could get that working:

按照我获得的示例,我将 AspectJ 用于全局方法安全性,但如果我可以使其正常工作,则不会使用它:

<global-method-security secured-annotations="enabled" pre-post-annotations="enabled" mode="aspectj" proxy-target-class="true" >
  <expression-handler ref="expressionHandler"/>
</global-method-security>

Thank you for taking the time to read this

感谢您抽出时间来阅读

Please let me know if more detail is needed.

如果需要更多详细信息,请告诉我。

采纳答案by WhiteKnight

This problem has been solved.

这个问题已经解决了。

The last part of the solution was to remove the request to make SecurityContextHolder global.

解决方案的最后一部分是删除使 SecurityContextHolder 成为全局的请求。

If you are having the same problem might find thispost helpful.

如果您遇到同样的问题,可能会发现这篇文章很有帮助。