0

在 Spring security 2.0.4 中,声明如下,过滤器的位置也在各个 bean 声明中声明......

旧的 Security.xml

<sec:http session-fixation-protection="migrateSession">
    <sec:intercept-url pattern="/login.hm*" filters="none" requires-channel="https" />
    <sec:intercept-url pattern="/services/**" filters="none" requires-channel="https"/>
    <sec:intercept-url pattern="/widget/**" filters="none" requires-channel="https" />
    <sec:intercept-url pattern="/istore/theme/**" filters="none" requires-channel="https"/>
    <sec:intercept-url pattern="/logout.hm*" filters="none" requires-channel="https" />
    <sec:intercept-url pattern="/mstore/theme/**" filters="none" requires-channel="https"/>
    <sec:intercept-url pattern="/istore/history*" access="ROLE_UU" requires-channel="https"/>
    <sec:intercept-url pattern="/istore/consumer_goods*" access="ROLE_UU" requires-channel="https"/>
    <sec:intercept-url pattern="/istore/electronics*" access="ROLE_UU" requires-channel="https"/>
    <sec:intercept-url pattern="/istore/accessories*" access="ROLE_UU" requires-channel="https"/>
    <sec:intercept-url pattern="/istore/reward_redemption*" access="ROLE_UU" requires-channel="https"/>
    <sec:intercept-url pattern="/istore/**" access="ROLE_UU,ROLE_SSS" requires-channel="https"/>
    <sec:form-login
            login-page="${login.url}"
            login-processing-url="${login.processing.url}"
            default-target-url="${setuppassword.page.url}"
            authentication-failure-url="${login.failure.url}" always-use-default-target="false" />
</sec:http>

Spring Security:如何排除某些资源?

https://www.baeldung.com/security-none-filters-none-access-permitAll

主要问题是某些 URL 模式没有排除过滤器,也没有以更精确的方式为其他模式设置过滤器。

PS 我们还有 HDIV,它也在迁移中。

  1. 我们如何为特定 URL 配置过滤器和链顺序并忽略一些?
  2. 基于 java 的配置更好还是 XML?

启动日志

INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'characterEncodingFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'hiddenHttpMethodFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'httpPutFormContentFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'requestContextFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'springSecurityFilterChain' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'sitemesh' to urls: [*.hm]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'CustomSecurityHeaderFilter' to urls: []
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'HttpOnlyCookieFilter' to urls: [*.hm]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'ValidatorFilter' to urls: [*.hm]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'org.springframework.security.filterChainProxy' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter:'org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'httpOnlyCookieFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'logoutFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'iStoreFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'loginFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'preLoginFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: '_formLoginFilter' to: [/*]
4

1 回答 1

0

我之前问过下面这个问题,因为没有重点,所以被删除了,所以我自己重新查询它来回答它,因为我觉得它可能对其他人也有用。

https://stackoverflow.com/questions/60221667/custom-filters-being-called-by-spring-and-mapped-to-even-after-specifying-se

对于 Spring 安全迁移到版本 3 及更高版本,您可以简单地扩展 WebSecurityConfigurerAdapter 并覆盖使用构建器模式进行基于 JAVA 的配置的方法,这更简单、细化和容易,

  1. 第一个添加具有角色、身份验证提供程序、身份验证处理程序(成功/失败)、注销、注销处理程序、会话管理配置、具有定义位置的过滤器集等的 URL 模式。
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/istore/link.jsp").hasAnyAuthority("UU", "SSS")
                .antMatchers("/istore/**/*.jsp").hasAuthority("RESTRICT")
                .antMatchers("/mstore/**/*.jsp").hasAuthority("RESTRICT")
                .antMatchers("/istore/card*").hasAuthority("UU")
                .antMatchers("/istore/history*").hasAuthority("UU")
                .antMatchers("/istore/orders*").hasAuthority("UU")
                .antMatchers("/istore/consumer_goods*").hasAuthority("UU")
                .antMatchers("/istore/electronics*").hasAuthority("UU")
                .antMatchers("/istore/reward_redemption*").hasAuthority("UU")
                .antMatchers("/istore/accessories*").hasAuthority("UU")
                .antMatchers("/istore/privelege_card*").hasAuthority("UU")
                .antMatchers("/istore/profile*").hasAuthority("UU")
                .antMatchers("/istore/reward_redemption*").hasAuthority("UU")
                .antMatchers("/istore/addresses*").hasAuthority("UU")
                .antMatchers("/istore/**").hasAuthority("UU")
                .and()
                .formLogin()
                .loginPage("/login.hm")
                .failureUrl("/login.hm?err=1")
                .loginProcessingUrl("/istore_check.hm")
                .and()
                .authenticationProvider(authProvider)
                .logout()
                .and()
                .csrf().disable()
                .addFilterBefore(iStoreFilter, ChannelProcessingFilter.class)
                .addFilterAfter(loginFilter, BasicAuthenticationFilter.class)
                .addFilterAt(logoutFilter, org.springframework.security.web.authentication.logout.LogoutFilter.class)
                .addFilterAt(authenticationProcessingFilter, UsernamePasswordAuthenticationFilter.class)
                .sessionManagement().sessionFixation().migrateSession();
    }
  1. 第二个忽略特定 URL 模式的 spring 安全过滤器链中的安全过滤器。
    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/services/**")
                .antMatchers(HttpMethod.GET,"/monitor/health")
                .antMatchers(HttpMethod.GET,"/widget/**")
                .antMatchers(HttpMethod.GET,"/login.hm*")
                .antMatchers(HttpMethod.GET,"/istore/login.jsp")
                .antMatchers(HttpMethod.GET,"/istore/logout.jsp")
                .antMatchers(HttpMethod.GET,"/registration.hm*")
                .antMatchers(HttpMethod.GET,"/tnc.hm*")
                .antMatchers(HttpMethod.GET,"/istore/clicktochat/**")
                .antMatchers(HttpMethod.GET,"/logout.hm")
                .antMatchers(HttpMethod.GET,"/istore/theme/**")
                .antMatchers(HttpMethod.GET,"/mstore/theme/**")
                .antMatchers(HttpMethod.GET,"/js/**")
                .antMatchers(HttpMethod.GET,"/breeze/**")
                .antMatchers(HttpMethod.GET,"/resources/**")
                .antMatchers(HttpMethod.GET,"/crossdomain.xml")
    }
  1. 第三个是使身份验证管理器 bean 可用,它以前作为_authenticationManager可用,但现在它被声明为一个 bean,如下所示,以注入到您的 AbstractAuthenticationProcessingFilter 实现中,该实现以前是 AbstractProcessingFilter。
    @Override
    @Bean (name ="authenticationManagerBean")
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

PS 请记住,对于从 3 及以下的迁移,具有基于 xml 的配置来检查您的 web.xml,因为 servlet 和过滤器注册是一个重要部分,如果它做得不那么精确,您会发现自己在其他地方调试,如果 HDIV 正在使用,请删除它并并行迁移,而不是一起迁移。

于 2020-04-04T06:36:43.503 回答