使用 Spring MVC + Security 我有一个业务需求,即来自 SEC(安全团队)的用户对应用程序具有完全访问权限,而 FRAUD(反欺诈团队)只能访问 URL不包含“块”或“ update " 不区分大小写。
下面是spring-security.xml中使用的正则表达式的测试(我不是正则表达式专家,欢迎改进 =]):
import java.util.Arrays;
import java.util.List;
public class RegexTest {
public static void main(String[] args) {
List<String> pathSamples = Arrays.asList(
"/index",
"/index.*",
"/index/",
"/cellphone/block",
"/cellphone/block.*",
"/cellphone/block/",
"/cellphone/confirmBlock",
"/cellphone/confirmBlock.*",
"/cellphone/confirmBlock/",
"/user/update",
"/user/update.*",
"/user/update/",
"/user/index",
"/user/index.*",
"/user/index/",
"/search",
"/search.*",
"/search/",
"/doSearch",
"/doSearch.*",
"/doSearch/");
for (String pathSample : pathSamples) {
System.out.println("Path sample: " + pathSample
+ " - SEC: " + pathSample.matches("^.*$")
+ " | FRAUD: " + pathSample.matches("^(?!.*(?i)(block|update)).*$"));
}
}
}
Bellow,上面Java类的控制台结果:
Path sample: /index - SEC: true | FRAUD: true
Path sample: /index.* - SEC: true | FRAUD: true
Path sample: /index/ - SEC: true | FRAUD: true
Path sample: /cellphone/block - SEC: true | FRAUD: false
Path sample: /cellphone/block.* - SEC: true | FRAUD: false
Path sample: /cellphone/block/ - SEC: true | FRAUD: false
Path sample: /cellphone/confirmBlock - SEC: true | FRAUD: false
Path sample: /cellphone/confirmBlock.* - SEC: true | FRAUD: false
Path sample: /cellphone/confirmBlock/ - SEC: true | FRAUD: false
Path sample: /user/update - SEC: true | FRAUD: false
Path sample: /user/update.* - SEC: true | FRAUD: false
Path sample: /user/update/ - SEC: true | FRAUD: false
Path sample: /user/index - SEC: true | FRAUD: true
Path sample: /user/index.* - SEC: true | FRAUD: true
Path sample: /user/index/ - SEC: true | FRAUD: true
Path sample: /search - SEC: true | FRAUD: true
Path sample: /search.* - SEC: true | FRAUD: true
Path sample: /search/ - SEC: true | FRAUD: true
Path sample: /doSearch - SEC: true | FRAUD: true
Path sample: /doSearch.* - SEC: true | FRAUD: true
Path sample: /doSearch/ - SEC: true | FRAUD: true
测试
方案 1
贝娄, spring-security.xml的重要部分:
<security:http entry-point-ref="entryPoint" request-matcher="regex">
<security:intercept-url pattern="^.*$" access="ROLE_SEC" />
<security:intercept-url pattern="^(?!.*(?i)(block|update)).*$" access="ROLE_FRAUD" />
<security:access-denied-handler error-page="/access-denied.html" />
<security:form-login always-use-default-target="false"
login-processing-url="/doLogin.html"
authentication-failure-handler-ref="authFailHandler"
authentication-success-handler-ref="authSuccessHandler" />
<security:logout logout-url="/logout.html"
success-handler-ref="logoutSuccessHandler" />
</security:http>
行为:
- FRAUD 组**不能”访问任何页面
- SEC小组工作正常
方案 2
请注意,我只在下面的spring-security.xml中更改了intercept-url的顺序:
<security:http entry-point-ref="entryPoint" request-matcher="regex">
<security:intercept-url pattern="^(?!.*(?i)(block|update)).*$" access="ROLE_FRAUD" />
<security:intercept-url pattern="^.*$" access="ROLE_SEC" />
<security:access-denied-handler error-page="/access-denied.html" />
<security:form-login always-use-default-target="false"
login-processing-url="/doLogin.html"
authentication-failure-handler-ref="authFailHandler"
authentication-success-handler-ref="authSuccessHandler" />
<security:logout logout-url="/logout.html"
success-handler-ref="logoutSuccessHandler" />
</security:http>
行为:
- SEC 组**不能”访问任何页面
- FRAUD 组工作正常
结论
我做错了什么或弹簧安全有错误。
问题已经以非常糟糕的方式解决了,但我需要尽快解决。任何人都知道一些技巧可以在不打开框架代码的情况下更好地调试它?
干杯,
费利佩