我有一个Spring MVC Rest Web应用程序,正在为其添加一层Spring Security。
在阅读Spring文档时,我无法理解第3.1.3节的含义。我将该部分内容复制/粘贴如下。
If we were using Spring elsewhere in our application we probably already had a WebApplicationInitializer that is loading our Spring Configuration. If we use the previous configuration we would get an error. Instead, we should register Spring Security with the existing ApplicationContext. For example, if we were using Spring MVC our SecurityWebApplicationInitializer would look something like the following:
import org.springframework.security.web.context.*;
public class SecurityWebApplicationInitializer
extends AbstractSecurityWebApplicationInitializer {
}
This would simply only register the springSecurityFilterChain Filter for every URL in your application. After that we would ensure that SecurityConfig was loaded in our existing ApplicationInitializer. For example, if we were using Spring MVC it would be added in the getRootConfigClasses()
public class MvcWebApplicationInitializer extends
AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class[] { SecurityConfig.class };
}
// ... other overrides ...
}
那么,我已经拥有以下内容
an Initializer.java (replacement of web.xml)
Config.java - Root Context
RestServlet.java - Servlet Context
这是我的Initializer.java文件
public class Initializer implements WebApplicationInitializer {
public void onStartup(ServletContext container) throws ServletException {
// Create the 'root' Spring application context
AnnotationConfigWebApplicationContext rootContext =
new AnnotationConfigWebApplicationContext();
rootContext.register(Config.class);
// Manage the lifecycle of the root application context
container.addListener(new ContextLoaderListener(rootContext));
// container.addListener(new ContextLoaderListener(rootContext));
// Create the dispatcher servlet's Spring application context
AnnotationConfigWebApplicationContext dispatcherContext =
new AnnotationConfigWebApplicationContext();
dispatcherContext.register(RestServlet.class);
// Register and map the dispatcher servlet
ServletRegistration.Dynamic dispatcher =
container.addServlet("dispatcher", new DispatcherServlet(dispatcherContext));
dispatcher.setLoadOnStartup(1);
dispatcher.addMapping("/");
}
}
为了增加Spring Security层,我添加了以下内容。
SecurityConfig.java
SecurityInitializer.java
SecurityConfig.java(这是用于测试使用内存身份验证细节的文件)。
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER");
}
}
SecurityInitializer.java
public class SecurityInitializer extends AbstractSecurityWebApplicationInitializer
{
protected Class<?>[] getRootConfigClasses() {
return new Class[] { SecurityConfig.class };
}
现在的问题是我不确定如何执行这些步骤。我不知道(根据文档的3.2.3节)是否应该扩展AbstractSecurityWebApplicationInitializer还是AbstractAnnotationConfigDispatcherServletInitializer。
另一个问题是这是一个REST应用程序。我没有任何返回jsps的控制器(我也不想要!)。我的最终目标是使用OAuth2,在前端Web应用程序(基于Angular)中生成和发行令牌,并以此方式保护REST API。另外,还要在此基础上添加Facebook和Google+登录。但是我正在使用Spring Security迈出初步的步伐,卡在这里了。想知道已经走过这条路的人是否能分享他们的智慧。