我工作在AngularJS应用程序中实现的Spring Security。我是比较新的这两种技术,我已经发现了几个非常有用的站点,教程和如何实现AngularJS和例子春季安全。
I am working on implementing Spring Security in an AngularJS application. I am relatively new to both technologies, and I have found several very helpful sites with tutorials and examples of how to implement AngularJS and Spring Security.
我的问题在于目前制约URL路径某些用户。这听起来像一个简单的问题,但我已经淹死了自己与文档试图找出必须已经解决了previously一个问题。
My problem currently lies in restricting URL paths to certain users. IT sounds like a simple problem, but I have drowned myself with documentation trying to figure out a problem that must have been solved previously.
在AngularJS,没有在网址导航到不同的URL时,井号这似乎导致问题在于春。没有引发错误,但该资源没有限制。我的code是如下:
In AngularJS, there is a hash mark in the URL when navigating to different URLs and that seems to cause a problem with Spring. There is no error thrown, but the resource is not restricted. My code is below:
的web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/paperwebapp-servlet.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>webapp</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>*</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>webapp</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<filter>
<filter-name>characterEncodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>characterEncodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Apply Spring Security Filter to all Requests -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
APP-servlet.xml中
app-servlet.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd">
<context:property-placeholder location="file:${catalina_home}/conf/application.properties" />
<mvc:view-controller path="/" view-name="/resources/index.html"/>
<mvc:resources mapping="/resources/**" location="/resources/" />
<import resource="spring-security.xml" />
</beans>
弹簧security.xml文件
spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<context:property-placeholder location="file:${catalina_home}/conf/application.properties" />
<sec:http auto-config='true'>
<sec:intercept-url pattern="/access/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/*" access="ROLE_USER" />
<sec:intercept-url pattern="/#/inventory" access="ROLE_ADMIN" />
<sec:form-login login-page="/access/login.jsp" default-target-url="/#/splash"
always-use-default-target="true" />
</sec:http>
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider>
<sec:user-service>
<sec:user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN" />
<sec:user name="user" password="user" authorities="ROLE_USER" />
</sec:user-service>
</sec:authentication-provider>
</sec:authentication-manager>
</beans>
在部署应用程序,我可以访问URL(本地主机:8080 /应用程序),我有一个登录页面,映入眼帘预期。一旦我认证,我带来了闪屏也如预期(/#/飞溅)。不过,如果我登录使用用户资格证书,我应该从/库存路径受到限制。不管我怎么努力(/#/库存/库存,#/库存等),我不能得到的资源受到限制。我测试了这个配置出来直接从应用程序目录访问HTML网页的应用程序,它似乎做工精细,所以我相信它有事情做与AngularJS控制器路由请求和使用哈希标记。
When the application is deployed, I can access the URL (localhost:8080/app) and I am greeted with a login page as expected. Once I am authenticated, i am brought to the splash screen (/#/splash) also as expected. However, if I log in using the "user" credentials, I should be restricted from the /inventory path. No matter what I try (/#/inventory, /inventory, #/inventory, etc) I cannot get the resource to be restricted. I have tested this configuration out on an application that accesses HTML pages directly from the application directory and it seems to work fine, thus I am convinced that it has something to do with the AngularJS controller routing the requests and using that hash mark.
我在研究这个发现的另一个有趣的一点是,因为我们使用来自多个来源的模板编译每个页面,我们不能使用$ locationProvider设置HTML5模式不会破坏应用程序。
Another point of interest I discovered in researching this was that because we are using templates from multiple sources to compile each page we cannot use the $locationProvider to set HTML5 mode without breaking the application.
如果任何人有任何洞察到这一问题,这将是极大的AP preciated。我相信这已经某处,但对我的生活我找不到任何东西。谢谢!
If anyone has any insight into this problem, it would be greatly appreciated. I am sure this has been somewhere, but for the life of me I could not find anything. Thank you!
推荐答案
您似乎混淆角的客户端的URL处理(基于散列,如'/#/飞溅')与Spring MVC的(因此Spring Security的)服务器端的URL处理。
You seem to be confusing Angular's client-side URL handling (based on the hashes, like '/#/splash') with Spring MVC's (and therefore Spring Security's) server-side URL handling.
记住,春季安全保护对网址,在服务器端,这是角单页,客户端库。
Remember that Spring Security secures access to URLs on the server side, and that Angular is a single-page, client-side library.
当您第一次访问你的网页角度,你从服务器得到它,而Spring Security可以根据不同的登录限制访问。
When you first access your Angular page, you are getting it from the server, and Spring Security can restrict access depending on the login.
如果你仍然在客户端上的单页角的环境,并通过角为页上的散列的网址导航(见的 AngularJS $位置导游约hashbang网址),你是不是做服务器的请求。您请求角度来呈现不同的模板或状态。这是客户端行为,所以春季安全不参与。你让服务器请求当您访问HTML模板文件(春季可以静态地返回无需验证),或者如果你已经设定了一个REST API从服务器获取数据(通常返回JSON格式的数据的应用程序使用)。
If you're still in your single-page Angular environment on the client, and navigate via Angular to "page" with a hash in the URL (See the AngularJS $location guide about hashbang URLs), you are not making a server request. You are requesting Angular to render a different template or state. This is client-side behavior, so Spring Security is not involved. You make a server request when you access a template HTML file (which Spring may return statically without authentication) or if you have set up a REST api to get data from your server (typically returning JSON formatted data for your application to use).
我认为,要完成这项工作,为您的受保护的资源(/目录)中的数据必须不包含在主应用程序,需要单独的服务器端资源。这可能包括对页,要么HTML模板/或数据。您的AngularJS应用应当能够认识到,这资源不可用,并且显示一些向用户进行通信的缺乏授权的
I believe that to make this work, the data for your protected resource ("/inventory") would have to not be included in the main application, requiring a separate server-side resource. This could include either the HTML template for the page and/or the data. Your AngularJS application should be able to recognize that this resource is not available and display something to the user to communicate the lack of authorization.
相关推荐
最新文章