Java Spring security 3.1自定义过滤器问题。匿名URL排除的问题
我正在开发一个RESTful api。我的URL上有两种类型的安全限制:Java Spring security 3.1自定义过滤器问题。匿名URL排除的问题,java,spring,rest,cookies,spring-security,Java,Spring,Rest,Cookies,Spring Security,我正在开发一个RESTful api。我的URL上有两种类型的安全限制: /rest/autenticate(匿名以生成令牌并接收cookie) /rest/**(由AuthenticationTokenProcessingFilter处理,后者获取cookie并将其签出) 其主要思想是匿名访问/身份验证,以获取cookie并访问其他/rest/users/rest/。。使用该cookie并在自定义筛选器上检查其有效性 这是我的http配置: <http realm="Protecte
- /rest/autenticate(匿名以生成令牌并接收cookie)
- /rest/**(由AuthenticationTokenProcessingFilter处理,后者获取cookie并将其签出)
<http realm="Protected REST API" pattern="/rest/**" use-expressions="true" auto-config="false" create-session="stateless" entry-point-ref="RestAuthenticationEntryPoint">
<custom-filter ref="AuthenticationTokenProcessingFilter" position="FORM_LOGIN_FILTER" />
<intercept-url pattern="/rest/authenticate*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/rest/**" access="isAuthenticated()"/>
</http>
我认为这个过滤器只有在url受到限制时才会启动。可能总是启动,我必须手动检查角色是否匿名
将投票并检查解决方案。始终对所有/rest URL执行筛选器。因此。。我能做什么?检查请求是否需要处理或是否可以简单地传递。是的,但在do筛选器中,我如何检查角色是否匿名?您不能检查匿名(由于生命周期中的位置),您可以检查用户是否经过身份验证。只需调用
SecurityContextHolder.getContext().getAuthentication().isAuthenticated()
,或者您可以尝试在过滤器中获取SecurityExpressionOperations
,然后您可以询问一些问题。
<b:bean id="RestAuthenticationEntryPoint" class="**.web.security.RestAuthenticationEntryPoint" />
<b:bean id="customAuthenticationManager" class="**.web.security.CustomAuthenticationManager"/>
<b:bean id="AuthenticationTokenProcessingFilter" class="**.web.security.AuthenticationTokenProcessingFilter">
<b:constructor-arg type="**.web.security.CustomAuthenticationManager" ref="customAuthenticationManager"></b:constructor-arg>
</b:bean>
<b:bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter">
<b:property name="authenticationEntryPoint" ref="RestAuthenticationEntryPoint"/>
<b:property name="accessDeniedHandler" ref="accessDeniedHandler"/>
</b:bean>
<b:bean id="accessDeniedHandler" class="**.web.security.RestAccessDeniedHandler">
<b:property name="accessDeniedUrl" value="403" />
</b:bean>
public class AuthenticationTokenProcessingFilter extends GenericFilterBean {
@Autowired
UserService userService;
@Autowired
TokenUtilsService tokenUtilsService;
CustomAuthenticationManager customAuthenticationManager;
public AuthenticationTokenProcessingFilter(CustomAuthenticationManager customAuthenticationManager) {
this.customAuthenticationManager = customAuthenticationManager;
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
//Check the cookie calling to customAuthenticationManager.authenticate
chain.doFilter(request, response);
}
}