java Spring Method Level Security 在第二次调用时失败
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6653548/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring Method Level Security fails on second call
提问by WhiteKnight
I want to use method level security on my GWT application. I'm trying to use Spring Security 3.1, as I found a working example here, but it doesn't use form-login. After reading this answerthe first method call successfully obtains the SecurityContext, but then clears it before the next call:
我想在我的 GWT 应用程序上使用方法级别的安全性。我正在尝试使用 Spring Security 3.1,因为我在这里找到了一个工作示例,但它不使用表单登录。阅读此答案后,第一个方法调用成功获取 SecurityContext,但在下一次调用之前将其清除:
[org.springframework.security.web.context.HttpSessionSecurityContextRepository] - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@6fe9f089: Authentication: org.example.MyAppName.server.auth.MyAppNameUserAuthentication@6fe9f089'
...
[org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor] - Authorization successful
...
[org.springframework.security.web.context.SecurityContextPersistenceFilter] - SecurityContextHolder now cleared, as request processing completed
...
[org.springframework.security.web.context.HttpSessionSecurityContextRepository] - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
[org.springframework.security.web.context.SecurityContextPersistenceFilter] - SecurityContextHolder now cleared, as request processing completed
...
[org.springframework.security.web.context.HttpSessionSecurityContextRepository] - HttpSession returned null object for SPRING_SECURITY_CONTEXT
The second call happens straight after the first and just after the user logs in.
第二个调用发生在第一个调用之后,也就是在用户登录之后。
Is it because I followed the other answer and removed <http pattern="/MyAppName/**" security="none" />
and added <intercept-url pattern="/MyAppName/**" access="permitAll()" />
?
是不是因为我按照另一个答案删除<http pattern="/MyAppName/**" security="none" />
并添加了<intercept-url pattern="/MyAppName/**" access="permitAll()" />
?
My filters are as follows:
我的过滤器如下:
<http pattern="/favicon.ico" security="none" />
<http access-decision-manager-ref="accessDecisionManager" use-expressions="true" auto-config="false" entry-point-ref="LoginUrlAuthenticationEntryPoint">
<form-login login-page="/Login.html" always-use-default-target="true" default-target-url="/Main.html?gwt.codesvr=127.0.0.1:9997" />
<intercept-url pattern="/Login.html" access="permitAll()" />
<intercept-url pattern="/Login2.html" access="permitAll()" />
<intercept-url pattern="/MyAppName/**" access="permitAll()" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<logout delete-cookies="JSESSIONID" logout-success-url="/Login.html" />
<remember-me token-validity-seconds="86400" key="key" user-service-ref="userDetailsService" />
</http>
Following the example I obtained I use AspectJ for the global method security, but would not use it if I could get that working:
按照我获得的示例,我将 AspectJ 用于全局方法安全性,但如果我可以使其正常工作,则不会使用它:
<global-method-security secured-annotations="enabled" pre-post-annotations="enabled" mode="aspectj" proxy-target-class="true" >
<expression-handler ref="expressionHandler"/>
</global-method-security>
Thank you for taking the time to read this
感谢您抽出时间来阅读
Please let me know if more detail is needed.
如果需要更多详细信息,请告诉我。