GWT Wiosna Integracja Bezpieczeństwa (PURE GWT, NO JSP)

jestem używając GWT 2.4 i Wiosna 3,1 i chcę, aby zabezpieczyć swój wniosek z wiosennym Bezpieczeństwa. Szukałem rozwiązania typu GWT bez oddzielnej strony logowania JSP. Znalazłem tylko stare strony korzystające z JSP do logowania, więc ten wątek może doprowadzić do rozwiązania w pełni zintegrowanego GWT z Spring Security w standardowy sposób. W każdym razie, jeśli istnieje odniesienie, gdzie zostało to już zrobione pomyślnie, ten wątek może być oczywiście zamknięty z odnośnikiem do tego odnośnika.GWT Wiosna Integracja Bezpieczeństwa (PURE GWT, NO JSP)

Dotychczas tutaj jest moje pierwsze podejście:

ApplicationContext-security.xml:

<http auto-config="false" use-expressions="true" entry-point-ref="customAuthenticationEntryPoint"> 
    <intercept-url pattern="/ApplicationScaffold.html" access="permitAll" /> 
    <intercept-url pattern="/**" access="hasRole('ROLE_USER')" /> 
</http> 

<beans:bean id="customAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint" 
    c:loginFormUrl="/ApplicationScaffold.html" /> 

<!-- Configure Authentication mechanism --> 
<authentication-manager alias="authenticationManager"> 
    <authentication-provider> 
     ... 
    </authentication-provider> 
</authentication-manager>

ApplicationScaffold.html (moja aplikacja została stworzona z wiosennym Roo) jest moja strona startowa zawierająca Strona logowania GWT.

web.xml:

<display-name>securitytest</display-name> 

<description>Roo generated application</description> 

<!-- Enable escaping of form submission contents --> 
<context-param> 
    <param-name>defaultHtmlEscape</param-name> 
    <param-value>true</param-value> 
</context-param> 

<context-param> 
    <param-name>contextConfigLocation</param-name> 
    <param-value>classpath*:META-INF/spring/applicationContext*.xml</param-value> 
</context-param> 

<filter> 
    <filter-name>CharacterEncodingFilter</filter-name> 
    <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class> 
    <init-param> 
     <param-name>encoding</param-name> 
     <param-value>UTF-8</param-value> 
    </init-param> 
    <init-param> 
     <param-name>forceEncoding</param-name> 
     <param-value>true</param-value> 
    </init-param> 
</filter> 

<filter> 
    <filter-name>HttpMethodFilter</filter-name> 
    <filter-class>org.springframework.web.filter.HiddenHttpMethodFilter</filter-class> 
</filter> 

<filter> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
</filter> 
<filter> 
    <filter-name>Spring OpenEntityManagerInViewFilter</filter-name> 
    <filter-class>org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter</filter-class> 
</filter> 
<filter-mapping> 
    <filter-name>CharacterEncodingFilter</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping> 

<filter-mapping> 
    <filter-name>HttpMethodFilter</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping> 

<filter-mapping> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping> 

<filter-mapping> 
    <filter-name>Spring OpenEntityManagerInViewFilter</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping> 

<!-- Creates the Spring Container shared by all Servlets and Filters --> 
<listener> 
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 
</listener> 

<!-- Handles Spring requests --> 
<servlet> 
    <servlet-name>securitytest</servlet-name> 
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> 
    <init-param> 
     <param-name>contextConfigLocation</param-name> 
     <param-value>WEB-INF/spring/webmvc-config.xml</param-value> 
    </init-param> 
    <load-on-startup>1</load-on-startup> 
</servlet> 

<servlet> 
    <servlet-name>requestFactory</servlet-name> 
    <servlet-class>com.securitytest.server.CustomRequestFactoryServlet</servlet-class> 
</servlet> 

<servlet-mapping> 
    <servlet-name>securitytest</servlet-name> 
    <url-pattern>/</url-pattern> 
</servlet-mapping> 

<servlet-mapping> 
    <servlet-name>requestFactory</servlet-name> 
    <url-pattern>/gwtRequest</url-pattern> 
</servlet-mapping> 

<session-config> 
    <session-timeout>10</session-timeout> 
</session-config>

Klasa CustomRequestFactoryServlet rozciąga RequestFactoryServlet zapewniając dodatkową konstruktora rozwiązać usługi wiosną i nie powinny być odpowiednie do kwestii bezpieczeństwa.

Po wprowadzeniu nazwy użytkownika i hasła w GWT widget usługa logowania jest wywoływany (przez RequestFactory), który po prostu wykonuje następujące operacje:

public String loginUser(String username, String password) { 
    UsernamePasswordAuthenticationToken token = 
      new UsernamePasswordAuthenticationToken(username, password); 

    Authentication authenticatedUser = authenticationManager.authenticate(token); 
    SecurityContextHolder.getContext().setAuthentication(authenticatedUser); 

    return username; 

}

Więc kiedy wpisać adres URL jak .. /fooooooo spodziewam moja aplikacja do przekierowania mnie do strony logowania (ApplicationScaffold.html). Ale tylko adres URL w pasku adresu przeglądarki jest ustawiony na ../ ApplicationScaffold.html i nic więcej się nie dzieje.

Co robię źle?

Ślad stosu mówi co następuje:

[INFO] 2012-12-17 13:41:07,502 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /fooooooooo at position 1 of 7 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 
[INFO] 2012-12-17 13:41:07,502 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No HttpSession currently exists 
[INFO] 2012-12-17 13:41:07,502 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created. 
[INFO] 2012-12-17 13:41:07,502 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /fooooooooo at position 2 of 7 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' 
[INFO] 2012-12-17 13:41:07,502 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /fooooooooo at position 3 of 7 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' 
[INFO] 2012-12-17 13:41:07,502 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /fooooooooo at position 4 of 7 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' 
[INFO] 2012-12-17 13:41:07,503 [btpool0-0] DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.sprin[email protected]9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS' 
[INFO] 2012-12-17 13:41:07,503 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /fooooooooo at position 5 of 7 in additional filter chain; firing Filter: 'SessionManagementFilter' 
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.web.session.SessionManagementFilter - Requested session ID1nkvhmubnkz6h is invalid. 
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /fooooooooo at position 6 of 7 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' 
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /fooooooooo at position 7 of 7 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' 
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/fooooooooo'; against '/applicationscaffold.html' 
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /fooooooooo; Attributes: [hasRole('ROLE_USER')] 
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.sprin[email protected]9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS 
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.express[email protected], returned: -1 
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point 
[INFO] org.springframework.security.access.AccessDeniedException: Access is denied 
... 
[INFO] 2012-12-17 13:41:07,506 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[http://127.0.0.1:8888/fooooooooo] 
[INFO] 2012-12-17 13:41:07,506 [btpool0-0] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Calling Authentication entry point. 
[INFO] 2012-12-17 13:41:07,506 [btpool0-0] DEBUG org.springframework.security.web.DefaultRedirectStrategy - Redirecting to 'http://127.0.0.1:8888/ApplicationScaffold.html' 
[INFO] 2012-12-17 13:41:07,506 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. 
[INFO] 2012-12-17 13:41:07,506 [btpool0-0] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed 
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html at position 1 of 7 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT 
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.mortbay.jetty.servlet.HashSessionManager$Session:[email protected] A new one will be created. 
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html at position 2 of 7 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' 
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - pathInfo: both null (property equals) 
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - queryString: both null (property equals) 
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - requestURI: arg1=/fooooooooo; arg2=/ApplicationScaffold.html (property not equals) 
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.HttpSessionRequestCache - saved request doesn't match 
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html at position 3 of 7 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' 
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html at position 4 of 7 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' 
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.sprin[email protected]9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]957e: RemoteIpAddress: 127.0.0.1; SessionId: q0k5u6clocpc; Granted Authorities: ROLE_ANONYMOUS' 
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html at position 5 of 7 in additional filter chain; firing Filter: 'SessionManagementFilter' 
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html at position 6 of 7 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' 
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html at position 7 of 7 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' 
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/applicationscaffold.html'; against '/applicationscaffold.html' 
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /ApplicationScaffold.html; Attributes: [permitAll] 
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.sprin[email protected]9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]957e: RemoteIpAddress: 127.0.0.1; SessionId: q0k5u6clocpc; Granted Authorities: ROLE_ANONYMOUS 
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.sp[email protected]5f8d13b8, returned: 1 
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Authorization successful 
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - RunAsManager did not change Authentication object 
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html reached end of additional filter chain; proceeding with original chain 
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter - Opening JPA EntityManager in OpenEntityManagerInViewFilter 
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.hibernate.impl.SessionImpl - opened session at timestamp: 13557480675 
[INFO] 2012-12-17 13:41:07,545 [btpool0-0] DEBUG org.springframework.web.servlet.DispatcherServlet - DispatcherServlet with name 'securitytest' processing GET request for [/ApplicationScaffold.html] 
[INFO] 2012-12-17 13:41:07,545 [btpool0-0] DEBUG org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - Looking up handler method for path /ApplicationScaffold.html 
[INFO] 2012-12-17 13:41:07,545 [btpool0-0] DEBUG org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - Did not find handler method for [/ApplicationScaffold.html] 
[INFO] 2012-12-17 13:41:07,545 [btpool0-0] DEBUG org.springframework.web.servlet.handler.SimpleUrlHandlerMapping - Matching patterns for request [/ApplicationScaffold.html] are [/**] 
[INFO] 2012-12-17 13:41:07,545 [btpool0-0] DEBUG org.springframework.web.servlet.handler.SimpleUrlHandlerMapping - URI Template variables for request [/ApplicationScaffold.html] are {} 
[INFO] 2012-12-17 13:41:07,545 [btpool0-0] DEBUG org.springframework.web.servlet.handler.SimpleUrlHandlerMapping - Mapping [/ApplicationScaffold.html] to HandlerExecutionChain with handler [org.spring[email protected]3e3bfa58] and 1 interceptor 
[INFO] 2012-12-17 13:41:07,545 [btpool0-0] DEBUG org.springframework.web.servlet.DispatcherServlet - Last-Modified value for [/ApplicationScaffold.html] is: -1 
[INFO] 2012-12-17 13:41:07,547 [btpool0-0] DEBUG org.springframework.web.servlet.DispatcherServlet - Null ModelAndView returned to DispatcherServlet with name 'securitytest': assuming HandlerAdapter completed request handling 
[INFO] 2012-12-17 13:41:07,547 [btpool0-0] DEBUG org.springframework.web.servlet.DispatcherServlet - Successfully completed request 
[INFO] 2012-12-17 13:41:07,547 [btpool0-0] DEBUG org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter - Closing JPA EntityManager in OpenEntityManagerInViewFilter 
[INFO] 2012-12-17 13:41:07,547 [btpool0-0] DEBUG org.springframework.orm.jpa.EntityManagerFactoryUtils - Closing JPA EntityManager 
[INFO] 2012-12-17 13:41:07,547 [btpool0-0] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Chain processed normally 
[INFO] 2012-12-17 13:41:07,547 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. 
[INFO] 2012-12-17 13:41:07,547 [btpool0-0] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed 
[INFO] 2012-12-17 13:41:07,583 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html at position 1 of 7 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 
[INFO] 2012-12-17 13:41:07,583 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT 
[INFO] 2012-12-17 13:41:07,583 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.mortbay.jetty.servlet.HashSessionManager$Session:[email protected] A new one will be created. 
[INFO] 2012-12-17 13:41:07,583 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html at position 2 of 7 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' 
[INFO] 2012-12-17 13:41:07,583 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - pathInfo: both null (property equals) 
[INFO] 2012-12-17 13:41:07,583 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - queryString: both null (property equals) 
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - requestURI: arg1=/fooooooooo; arg2=/applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html (property not equals) 
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.HttpSessionRequestCache - saved request doesn't match 
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html at position 3 of 7 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' 
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html at position 4 of 7 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' 
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.sprin[email protected]9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]957e: RemoteIpAddress: 127.0.0.1; SessionId: q0k5u6clocpc; Granted Authorities: ROLE_ANONYMOUS' 
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html at position 5 of 7 in additional filter chain; firing Filter: 'SessionManagementFilter' 
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html at position 6 of 7 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' 
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html at position 7 of 7 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' 
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/applicationscaffold/c142d67e9948229be2b28e2a99e7c59a.cache.html'; against '/applicationscaffold.html' 
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html; Attributes: [hasRole('ROLE_USER')] 
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.sprin[email protected]9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]957e: RemoteIpAddress: 127.0.0.1; SessionId: q0k5u6clocpc; Granted Authorities: ROLE_ANONYMOUS 
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.sp[email protected]5f8d13b8, returned: -1 
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point 
[INFO] org.springframework.security.access.AccessDeniedException: Access is denied

Źródło

2012-12-17 Tony Skulk

+1 na pytanie. – SSR

Musisz dowiedzieć się, dlaczego użytkownik jest uważany anonimowy (linia 77 w stacktrace). Przypuszczam, że Spring następnie wysyła kolejne przekierowanie (do logowania), ale wywołanie zwrotne GWT nie wie, co zrobić z HTTP 302?

Źródło

2012-12-17 21:49:35

Dzięki za odpowiedź. Rzeczywiście, Spring wysyła przekierowanie, ale nie wiem, dlaczego moja strona logowania się nie pojawi. Co rozumiesz przez "callback GWT nie wie, co zrobić z HTTP 302_"? –

Cóż, z twojego pytania rozumiem, że twoje "wysyłanie" formularza logowania przez GWT (RPC?), Prawda? Wtedy masz wywołanie zwrotne GWT, które musi poprawnie obsługiwać przekierowanie HTTP 302. –

Myślałem, że Spring przekierowuje na moją stronę hosta html zawierającą tag javascript modułu logowania GWT. Tak więc rozumiem, że GWT nie robi nic, ale "ładuje" javascript. Wszystkie przekierowania są dokonywane przez bezpieczeństwo Spring, prawda? Więc myślę, że przynajmniej strona początkowa powinna się pojawić ... –

Czysta rozwiązanie GWT:

Nie używajhttp elementu w ogóle (http tag od nazw config)
Zdefiniuj AuthenticationRpcService
Dodaj (użytkownik, hasło) metodę AuthenticationRpcService.authenticate
Wstrzyknięcie do komponentu AuthenticationServiceImpl AuthenticationProvider z security-context.xml

Implementacja usługi uwierzytelnianiaRpcService.uwierzytelniania (użytkownik, hasło) jako:

User user = new User(login, password, true, true, true, true, new ArrayList<GrantedAuthority>()); 
Authentication auth = new UsernamePasswordAuthenticationToken(user, password, 
     new ArrayList<GrantedAuthority>()); 
try { 
    auth = this.authenticationProvider.authenticate(auth); 
} catch (BadCredentialsException e) { 
    throw new ClientSideBadCredentialsException(e.getMessage(), e); 
} 
SecurityContext sc = new SecurityContextImpl(); 
sc.setAuthentication(auth); 

SecurityContextHolder.setContext(sc);

Upewnić się, że filtr bezpieczeństwa łańcucha sprężyna jest wykonywany podczas przetwarzania każdej swojej GWT RPC (wezwanie, aby mieć pewność, że SecurityContext zaludnionych do SecurityContextHolder).
zabezpieczyć wszystkie Handel z @RolesAllowed ({ „ADMIN_ROLE”, „USER_ROLE”}) adnotacje
przygotowywać własne ClientSideAcessDeniedException które mogą być wykorzystane na stronie klienta
W przypadku sprężyna AcessDeniedException propogate ClientSideAcessDeniedException do klienta strona
na stronie klienta skonfigurować UncaughtExceptionHandler poprzez GWT.setUncaughtExceptionHandler
W UncaughtExceptionHandler wykryć CustomAcessDeniedException a następnie pokazać błąd do użytkownika.

Źródło

2012-12-18 13:42:26

Co masz na myśli mówiąc "nie używaj" elementu? –

Co się stanie, jeśli nie zostaną uwierzytelnione podczas GWT RPC? Czy nie zostaną przekierowani na domyślną stronę logowania? –

Musi to być "nie używaj elementu http" (znacznika http z obszaru nazw konfiguracji Spring Security). Dziękuję za wskazanie tego. Czysty problem z oznaczaniem. –

Odkryłem, że wszystko, co można chronić w gwt przy użyciu Spring Security, to wywołania RPC, ale jeśli chodzi o gui, nie można tego zrobić. Pamiętaj, że są one javascript, więc nie ma adresu URL do zdefiniowania w konfiguracji zabezpieczeń. Dlatego wszystkie przykłady mają stronę logowania na JSP. Będziesz wtedy musiał wdrożyć pewien typ zabezpieczeń po stronie klienta, używając userContext dla frontendu.

Źródło

2013-04-25 19:21:53 Jerime

GWT Wiosna Integracja Bezpieczeństwa (PURE GWT, NO JSP)

Odpowiedz

Powiązane problemy