问题描述

我已经在谷歌上搜索了很多关于这个问题的内容，但到目前为止，我找不到任何关于集成 Struts2 和 Spring Security 的教程.

I've done tons of googling regarding this issue and up to now I could not find any tutorial regarding integrating Struts2 and Spring Security.

我的问题是如何集成 Spring Security 和 Struts2?

My question is that How would I integrate Spring Security and Struts2?

如果我希望限制某些操作或页面，例如管理页面/url 只能由管理员访问，以及其他类似的事情，如果用户尝试访问该页面，他或她将被重定向到另一个页面.

Where I want certain actions or pages to be restricted, like the admin page/url should be accessed only by an administrator and other things like that if a user tried to accessed that page he or she would be redirected to another page.

推荐答案

假设您需要保护 /admin/* 路径上可访问的内容.您需要在 web.xml 中声明 Spring Security 过滤器，Struts 过滤器应该紧随其后，这样如果您访问 /admin 它将由 Spring Security 处理先请求，然后根据用户的角色让它通过或阻止它:

Let's say you need to secure what's accessible on the /admin/* path. You need to declare the Spring Security Filter in your web.xml, the Struts filter should come after so that if you are accessing /admin it will be Spring Security that handle the request first and will be able to let it pass or block it depending on the role of the user:

<filter>
  <filter-name>springSecurityFilterChain</filter-name>
  <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/admin/*</url-pattern>
</filter-mapping>
<filter>
    <filter-name>struts2</filter-name>
    <filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
</filter>
<filter-mapping>
    <filter-name>struts2</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

然后你声明你的 spring 安全上下文:

You then declare your spring security context:

<http>
    <intercept-url pattern="/*" filters="none" />
    <intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
    <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />           
    <form-login login-page="/login" />
    <logout logout-url="/logout" />
</http>

我建议您使用 struts2-convention 插件，以便像 /login 这样的 URL 自动绑定到一个名为的类，比如说 com.foo.bar.actions.LoginAction.LogoutAction

I propose that you use the struts2-convention plugin so that URLs like /login are bound automatically to a class named let's say com.foo.bar.actions.LoginAction. Same for LogoutAction

现在 /admin/* 下的内容应该由 Spring Security 保护，其余的应该直接转发到 Struts2 过滤器.

Now what is under /admin/* should be secured by Spring Security, and the rest should be forwarded directly to the Struts2 filter.

最后，在您的 JSP 中，您可以检查某人是否是管理员:

Finally, in your JSP you can check if someone is an Admin with:

<sec:authorize access="hasRole('ROLE_ADMIN')">
   <p>you are an admin</p>
</sec:authorize>

其余的可以在任何 Spring Security 教程中找到.真正重要的是过滤器声明的顺序，spring security 必须是第一位的.

The rest can be found in any Spring Security tutorial. What's really important is the order of the filters declaration, spring security must be first.

在google上搜索，也有这个链接对你有帮助.

searching on google, there is also this link that can be of help for you.

这篇关于如何集成 Spring Security 和 Struts2的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持跟版网！