java - Tried to apply Spring security on struts2 but it does not work -
i have next code apply spring security on struts2 allows user see secured page although have not implement datasource part (because not know how) yet not expect enable unauthorized users open page.
web.xml
<?xml version="1.0" encoding="utf-8"?> <web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xsi:schemalocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"> <context-param> <param-name>contextconfiglocation</param-name> <param-value> /web-inf/spring/*-context.xml </param-value> </context-param> <filter> <filter-name>springsecurityfilterchain</filter-name> <filter-class> org.springframework.web.filter.delegatingfilterproxy </filter-class> </filter> <context-param> <param-name>org.apache.tiles.impl.basictilescontainer.definitions_config</param-name> <param-value>/web-inf/tiles.xml</param-value> </context-param> <listener> <listener-class>org.apache.struts2.tiles.strutstileslistener</listener-class> </listener> <filter> <filter-name>struts2</filter-name> <filter-class>org.apache.struts2.dispatcher.ng.filter.strutsprepareandexecutefilter</filter-class> </filter> <filter-mapping> <filter-name>struts2</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <session-config> <session-timeout> 30 </session-timeout> </session-config> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> </web-app> my jsp
<%@taglib uri="/struts-tags" prefix="s"%> <sec:authorize ifallgranted="role_admin"> <a href="<s:url namespace ="/profile" action="view.action"/>" >profile</a> </sec:authorize> my secured method
import org.apache.struts2.convention.annotation.action; import org.springframework.security.access.annotation.secured; @action public class profile{ @secured ({"role_admin"}) public string view(){ system.out.println("view"); homecoming "view"; } security-context.xml
<?xml version="1.0" encoding="utf-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xmlns:security="http://www.springframework.org/schema/security" xsi:schemalocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <security:global-method-security secured-annotations="enabled" /> <security:http auto-config="true"> <!-- restrict urls based on role --> <security:intercept-url pattern="/index*" access="is_authenticated_anonymously" /> <security:intercept-url pattern="/logoutsuccess*" access="is_authenticated_anonymously" /> <security:intercept-url pattern="/css/main.css" access="is_authenticated_anonymously" /> <security:intercept-url pattern="/resources/**" access="is_authenticated_anonymously" /> <security:intercept-url pattern="/**" access="role_user" /> <!-- override default login , logout pages --> <security:form-login login-page="/login.html" login-processing-url="/loginprocess" default-target-url="/index.jsp" authentication-failure-url="/login.html?login_error=1" /> <security:logout logout-url="/logout" logout-success-url="/logoutsuccess.html" /> </security:http> <security:authentication-manager> <security:authentication-provider > <security:jdbc-user-service data-source-ref="datasource" /> </security:authentication-provider> </security:authentication-manager> </beans>
in order protect struts application urls need ensure have springsecurityfilterchain before struts2 . configuration have posted not appear have springsecurityfilterchain @ all. in short, update configuration follows:
<filter> <filter-name>springsecurityfilterchain</filter-name> <filter-class> org.springframework.web.filter.delegatingfilterproxy </filter-class> </filter> <filter> <filter-name>struts2</filter-name> <filter-class>org.apache.struts2.dispatcher.ng.filter.strutsprepareandexecutefilter</filter-class> </filter> <!-- order of filter-mapping of import springsecurityfilterchain should first! --> <filter-mapping> <filter-name>springsecurityfilterchain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>struts2</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> the above setup protect application using url based security. however, in order secure application method based security need ensure allowing spring create objects annotated @secured. this, ensure have followed instructions on integrating spring , struts provided within reference.
java struts2 spring-security
No comments:
Post a Comment