1

我有一个使用spring(也是spring security)的应用程序,通过在applicationContext.xml中指定如下所示,很少有服务被保留在安全资源集之外:

<http pattern="/services/rest/nohisb/Msgs" security="none"/>

现在这些服务只需要通过 https 访问。容器配置为具有 https。要求是当用户在 http 上访问上述服务时,他应该被重定向到 https(端口号也会改变,因为它不是默认的 443)。

是否有可能通过 spring 实现这一目标?

感谢
Nohsib

4

3 回答 3

2

是的,可以使用Spring Channel ProcessingPortMapper来实现

Spring Channel Processing 用于定义 http/https 访问 URL 模式。例如-

HTTPS 访问 URL-

https://localhost/myapp/user/myaccount

Http:访问 URL-

http://localhost/myapp/home

然后,如果用户以 http 模式访问安全 URL“ http://localhost/myapp/user/myaccount ”,spring 通道安全将用户重定向到安全 URL“ https://localhost/myapp/user/myaccount ”,反之亦然。

PortMapper Bean 用于映射非标准端口号,用于 HTTP 和 HTTPS 映射

示例配置:

通道处理 Bean 定义和端口映射器-

<bean id="channelProcessingFilter" class="org.springframework.security.web.access.channel.ChannelProcessingFilter">
  <property name="channelDecisionManager" ref="channelDecisionManager"/>
  <property name="securityMetadataSource">
        <security:filter-security-metadata-source path-type="ant">
            <security:intercept-url pattern="/services/rest/nohisb/Msgs**" access="REQUIRES_SECURE_CHANNEL" />
            <security:intercept-url pattern="/**/*.html**" access="REQUIRES_SECURE_CHANNEL" />

            <!-- more pattern definition -->

        </security:filter-security-metadata-source>
  </property>
</bean>

<bean id="channelDecisionManager" class="org.springframework.security.web.access.channel.ChannelDecisionManagerImpl">
  <property name="channelProcessors">
    <list>
        <ref bean="secureChannelProcessor"/>
        <ref bean="insecureChannelProcessor"/>
    </list>
  </property>
</bean>

<bean id="secureChannelProcessor" class="org.springframework.security.web.access.channel.SecureChannelProcessor">
    <property name="entryPoint" ref="secureEntryPoint"/>
</bean>

<bean id="insecureChannelProcessor" class="org.springframework.security.web.access.channel.InsecureChannelProcessor">
    <property name="entryPoint" ref="insecureEntryPoint"/>
</bean>

<bean id="secureEntryPoint" class="org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint">
    <property name="portMapper" ref="portMapper"/>
</bean>

<bean id="insecureEntryPoint" class="org.springframework.security.web.access.channel.RetryWithHttpEntryPoint">
    <property name="portMapper" ref="portMapper"/>
</bean>

<bean id="portMapper" class="org.springframework.security.web.PortMapperImpl">
    <property name="portMappings">
        <map>
            <entry key="80" value="443"/>
            <entry key="8081" value="8443"/>
            <entry key="8443" value="8081"/>
            <!-- so on... -->
        </map>
    </property>
</bean>

过滤器映射-

<security:http auto-config="false" 
            entry-point-ref="authenticationProcessingFilterEntryPoint" 
            access-decision-manager-ref="accessDecisionManager" >

    <security:custom-filter position="CHANNEL_FILTER" ref="channelProcessingFilter"/>

    <security:intercept-url pattern="/*.html*" access="ROLE_ANONYMOUS,admin,user"  />
    <security:intercept-url pattern="/*.jsp" access="ROLE_ANONYMOUS,admin,user" />

    <!-- more pattern definition -->

</security:http>
于 2012-11-23T20:02:12.520 回答
0

使用http://static.springsource.org/spring-security/site/docs/3.0.x/reference/ns-config.html#ns-requires-中描述的 Spring Security 命名空间配置不是更简单吗?通道来定义端口映射?

于 2012-12-07T08:10:38.243 回答
0

您可以编写 Servlet 过滤器来检查请求方案和 URL,并在需要时发送重定向。但实际上这些东西不应该在 java 代码中完成,而应该在反向代理或平衡器中完成。通常 servlet 容器在代理 (nginx?) 或 apache (mod_proxy) 后面使用,这是配置 https/http 重定向等的地方。

于 2012-11-22T20:08:50.977 回答