java - 从 xml 到基于 Java 的配置的问题更改

问题描述

我正在使用 Spring Boot MVC 最新版本 (5.3) e Spring security (5.5) 和 LDAP 用户

我正在尝试从此 xml 进行更改

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:security="http://www.springframework.org/schema/security"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-5.4.xsd">

    <security:http auto-config="true" disable-url-rewriting="true"
                   use-expressions="true">
        <security:form-login login-page="/signin"
                             authentication-failure-url="/signinAjax?error=1" authentication-details-source-ref="customWebAuthenticationDetailsSource" authentication-success-forward-url="/logged"/>
        <security:intercept-url pattern="/" access="permitAll" />
        <security:intercept-url pattern="/isAutenticated" access="permitAll" />
        <security:intercept-url pattern="/resources/images/favicon.png"
                                access="permitAll" />
        <security:intercept-url pattern="/resources/webfonts/**"
                                access="permitAll" />
        <security:intercept-url pattern="/resources/**"
                                access="permitAll" />
        <security:intercept-url pattern="/signin"
                                access="permitAll" />
        <security:intercept-url pattern="/signinAjax"
                                access="permitAll" />
        <security:intercept-url pattern="/userList"
                                access="isAuthenticated()" />
        <security:intercept-url pattern="/imgages/**"
                                access="permitAll" />
        <security:intercept-url pattern="/**"
                                access="isAuthenticated()" />
    </security:http>

    <security:global-method-security
            secured-annotations="enabled" />

    <security:authentication-manager
            erase-credentials="true">
        <security:authentication-provider
                ref="ldapActiveDirectoryAuthProvider" />
    </security:authentication-manager>

    <bean id="ldapActiveDirectoryAuthProvider"
          class="org.springframework.security.ldap.authentication.ad.CustomActiveDirectoryLdapAuthenticationProvider">
        <constructor-arg value="XXXX" />
        <constructor-arg value="ldap://XXX:389" />
        <property name="convertSubErrorCodesToExceptions" value="true" />
        <property name="searchFilter"
                  value="(&amp;(objectClass=user)(sAMAccountName={0}))"  />
        <property name="useAuthenticationRequestCredentials" value="true" />
        <property name="userDetailsContextMapper" ref="tdrUserDetailsContextMapper" />
    </bean>

    <bean id="tdrUserDetailsContextMapper"
          class="it.xxx.account.CustomUserDetailsContextMapper" />

    <bean id="customWebAuthenticationDetailsSource"
        class="it.xxx.config.security.CustomWebAuthenticationDetailsSource"/>


</beans>

该功能对这个基于 Java 的配置正确

@Configuration
@EnableWebSecurity
//@EnableGlobalMethodSecurity(securedEnabled=true)
//@ImportResource(value = "classpath:spring-security-context.xml")
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    


    @Bean
    public CustomWebAuthenticationDetailsSource customWebAuthenticationDetailsSource() {
        return new CustomWebAuthenticationDetailsSource();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/").permitAll()
                .antMatchers("/isAutenticated").permitAll()
                .antMatchers("/resources/**").permitAll()
                .antMatchers("/signin").permitAll()
                .antMatchers("/signinAjax").permitAll()
                .antMatchers("/userList").permitAll()
                .antMatchers("/images/**").permitAll()
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .loginPage("/signin")
                .authenticationDetailsSource(customWebAuthenticationDetailsSource())
                .successForwardUrl("/logged")
                .failureForwardUrl("/signinAjax?error=1");


    }



    @Bean
    public CustomActiveDirectoryLdapAuthenticationProvider ldapActiveDirectoryAuthProvider() {
        CustomActiveDirectoryLdapAuthenticationProvider provider = new CustomActiveDirectoryLdapAuthenticationProvider("xxx.local","ldap://xxx:389");
        provider.setConvertSubErrorCodesToExceptions(true);
        provider.setSearchFilter("(&(objectClass=user)(sAMAccountName={0}))");
        provider.setUseAuthenticationRequestCredentials(true);
        provider.setUserDetailsContextMapper(tdrUserDetailsContextMapper());
        return provider;
    }

    @Bean
    public LoggerListener loggerListener() {
        return new LoggerListener();
    }


    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.eraseCredentials(true);
        auth.authenticationProvider(ldapActiveDirectoryAuthProvider());
    }


    @Bean
    public CustomUserDetailsContextMapper tdrUserDetailsContextMapper() {
        return new CustomUserDetailsContextMapper();
    }




}

在tomcat的编译和运行中没有错误但无法登录并出现此错误

org.springframework.security.access.event.LoggerListener.onAuthorizationFailureEvent Security authorization failed due to: org.springframework.security.access.AccessDeniedException: Access is denied; authenticated principal: AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=19C02E6245BF011635B6ADC374ED4EA4], Granted Authorities=[ROLE_ANONYMOUS]]; secure object: filter invocation [POST /login]; configuration attributes: [authenticated]

我不知道缺少什么。

标签： javaspring