1. 首页
  2. 问答
  3. 如何使用Spring Security安全地实现Struts2 Rest服务Oauth

如何使用Spring Security安全地实现Struts2 Rest服务Oauth

2015-09-15 145 views
1

我与Spring安全Oauth的配置合作,在Struts2应用程序上使用它来保护其他Web服务。 我已经使用弹簧安全很长一段时间了。如何使用Spring Security安全地实现Struts2 Rest服务Oauth

这个问题,如果我非常清楚,Spring安全性Oauth需要在root上设置spring mvc dispatcher。这与Struts2相冲突。

这里是我的尝试

2)Struts2的根和Spring MVC上/ OAuth的/ *

<!-- Struts 2 --> 
    <filter> 
     <filter-name>struts2</filter-name> 
     <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class> 
    </filter> 
    <filter-mapping> 
     <filter-name>struts2</filter-name> 
     <url-pattern>/*</url-pattern> 
    </filter-mapping> 
    <filter-mapping> 
     <filter-name>struts2</filter-name> 
     <url-pattern>/struts/*</url-pattern> 
    </filter-mapping> 

<servlet> 
     <servlet-name>mvc-dispatcher</servlet-name> 
     <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> 
     <load-on-startup>1</load-on-startup> 
    </servlet> 

    <servlet-mapping> 
     <servlet-name>mvc-dispatcher</servlet-name> 
     <url-pattern>/*</url-pattern> 
    </servlet-mapping>

这是OAuth确定,但Struts2的不工作了。

1)的Struts2和Spring MVC根

<!-- Struts 2 --> 
    <filter> 
     <filter-name>struts2</filter-name> 
     <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class> 
    </filter> 
    <filter-mapping> 
     <filter-name>struts2</filter-name> 
     <url-pattern>/*</url-pattern> 
    </filter-mapping> 
    <filter-mapping> 
     <filter-name>struts2</filter-name> 
     <url-pattern>/struts/*</url-pattern> 
    </filter-mapping> 

<servlet> 
     <servlet-name>mvc-dispatcher</servlet-name> 
     <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> 
     <load-on-startup>1</load-on-startup> 
    </servlet> 

    <servlet-mapping> 
     <servlet-name>mvc-dispatcher</servlet-name> 
     <url-pattern>/oauth/*</url-pattern> 
    </servlet-mapping>

Struts2的,OAuth是承认的权利,但响应是在/令牌而不是/的OAuth /令牌,所以我得到一个404错误作出。

弹簧security.xml文件的提取物是在这里:

<http pattern="/oauth/token" create-session="stateless" 
     authentication-manager-ref="clientAuthenticationManager" 
     xmlns="http://www.springframework.org/schema/security"> 
     <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" /> 
     <anonymous enabled="false" /> 
     <http-basic entry-point-ref="clientAuthenticationEntryPoint" /> 
     <!-- include this only if you need to authenticate clients via request 
      parameters --> 
     <custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER" /> 
     <access-denied-handler ref="oauthAccessDeniedHandler" /> 

</http> 

<!-- This is where we tells spring security what URL should be protected 
    and what roles have access to them --> 
<http pattern="/api/**.api" create-session="never" 
    entry-point-ref="oauthAuthenticationEntryPoint" 
    access-decision-manager-ref="accessDecisionManager" 
    xmlns="http://www.springframework.org/schema/security"> 
    <anonymous enabled="false" /> 
    <intercept-url pattern="/api/**.api" access="ROLE_API" /> 
    <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /> 
    <access-denied-handler ref="oauthAccessDeniedHandler" /> 
</http>

来源

2015-09-15 Rydermark

+0

莱德,如果你已找到答案,请将其发布给其他人。他们正在要求并删除他们的答案。谢谢。当然,你还没有登录过一个月,所以没有人屏住呼吸。 – Drew

回答

0

的解决方案是使用2个不同的调度程序春季:

<servlet> 
    <servlet-name>mvc-dispatcher</servlet-name> 
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> 
    <load-on-startup>1</load-on-startup> 
</servlet> 
<servlet-mapping> 
    <servlet-name>mvc-dispatcher</servlet-name> 
    <url-pattern>/oauth/*</url-pattern> 
</servlet-mapping> 

<servlet> 
    <servlet-name>rest-dispatcher</servlet-name> 
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> 
    <load-on-startup>1</load-on-startup> 
</servlet> 
<servlet-mapping> 
    <servlet-name>rest-dispatcher</servlet-name> 
    <url-pattern>/restapi/*</url-pattern> 
</servlet-mapping>

一个用于休息WS,另一个用于securization。

此后你打赌令牌不是/的OAuth /令牌,但对/ OAuth的/的OAuth /令牌

为了解决这个问题,你必须重复春季安全参数:

<http pattern="/oauth/token" create-session="stateless" 
    authentication-manager-ref="clientAuthenticationManager" 
    xmlns="http://www.springframework.org/schema/security"> 
    <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" /> 
    <anonymous enabled="false" /> 
    <http-basic entry-point-ref="clientAuthenticationEntryPoint" /> 
    <!-- include this only if you need to authenticate clients via request 
     parameters --> 
    <custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER" /> 
    <access-denied-handler ref="oauthAccessDeniedHandler" /> 
</http> 

<http pattern="/oauth/oauth/token" create-session="stateless" 
    authentication-manager-ref="clientAuthenticationManager" 
    xmlns="http://www.springframework.org/schema/security"> 
    <intercept-url pattern="/oauth/oauth/token" access="IS_AUTHENTICATED_FULLY" /> 
    <anonymous enabled="false" /> 
    <http-basic entry-point-ref="clientAuthenticationEntryPoint" /> 
    <!-- include this only if you need to authenticate clients via request 
     parameters --> 
    <custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER" /> 
    <access-denied-handler ref="oauthAccessDeniedHandler" /> 
</http>

来源

2015-09-16 07:52:09 Rydermark

相关问题

 相关问题