Warning: file_get_contents(/data/phpspider/zhask/data//catemap/2/spring/13.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Spring Security未正确拦截?_Spring_Spring Boot_Spring Security - Fatal编程技术网
Fatal编程技术网
  • spring/
  • Spring Security未正确拦截?

Spring Security未正确拦截?

spring spring-boot spring-security

Spring Security未正确拦截?,spring,spring-boot,spring-security,Spring,Spring Boot,Spring Security,我有一个Spring引导配置,看起来像这样: http .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .addFilterBefore( new Filter(), UsernamePasswordAuthenticationFilter.class) .csrf().disable() // Disabled, cau

我有一个Spring引导配置,看起来像这样:

http
    .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
    .addFilterBefore( new Filter(), UsernamePasswordAuthenticationFilter.class)
    .csrf().disable() // Disabled, cause enabling it will cause sessions
    .headers()
        .frameOptions()
        .sameOrigin()
        .addHeaderWriter(new XXssProtectionHeaderWriter())
        .and()
    .authorizeRequests()
        .antMatchers("/app/**", "/rest/**").hasAuthority(DefaultPrivileges.ACCESS_TASK)
        .anyRequest().permitAll();

http
    .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
    .csrf().disable();

if (taskAppProperties.isRestEnabled()) {
    if (restAppProperties.isVerifyRestApiPrivilege()) {
        http
            .antMatcher("/*-api/**")
            .authorizeRequests()
                .antMatchers("/*-api/**").hasAuthority(DefaultPrivileges.ACCESS_REST_API)
                .and()
            .httpBasic();
    } else {
        http
            .antMatcher("/*-api/**")
            .authorizeRequests()
                .antMatchers("/*-api/**").authenticated()
                .and()
            .httpBasic();
    }
} else {
    http
        .antMatcher("/*-api/**")
        .authorizeRequests()
            .antMatchers("/*-api/**").denyAll();
}
我的理解是,只有以
/app
/rest
开头的请求才会被我的自定义筛选器截获,但结果是请求被发送到根(
http://localhost:8080/context/
)也被截获

我有多种Spring Security配置,其他配置如下:

http
    .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
    .addFilterBefore( new Filter(), UsernamePasswordAuthenticationFilter.class)
    .csrf().disable() // Disabled, cause enabling it will cause sessions
    .headers()
        .frameOptions()
        .sameOrigin()
        .addHeaderWriter(new XXssProtectionHeaderWriter())
        .and()
    .authorizeRequests()
        .antMatchers("/app/**", "/rest/**").hasAuthority(DefaultPrivileges.ACCESS_TASK)
        .anyRequest().permitAll();

http
    .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
    .csrf().disable();

if (taskAppProperties.isRestEnabled()) {
    if (restAppProperties.isVerifyRestApiPrivilege()) {
        http
            .antMatcher("/*-api/**")
            .authorizeRequests()
                .antMatchers("/*-api/**").hasAuthority(DefaultPrivileges.ACCESS_REST_API)
                .and()
            .httpBasic();
    } else {
        http
            .antMatcher("/*-api/**")
            .authorizeRequests()
                .antMatchers("/*-api/**").authenticated()
                .and()
            .httpBasic();
    }
} else {
    http
        .antMatcher("/*-api/**")
        .authorizeRequests()
            .antMatchers("/*-api/**").denyAll();
}
有人能帮忙吗?

HttpSecurity.authorizeRequests
-返回
ExpressionInterceptUrlRegistry
,我们正在设置匹配者和角色条件,将使用方法
ExpressionInterceptUrlRegistry.getRegistry添加此方法,如果仅在发生实际身份验证的
permitAll
存根处检查此方法的其他用法,则会添加此方法



我们使用
HttpSecurity.addFilterBefore
添加的筛选器将不会检查任何请求匹配。如果需要,可以在自定义筛选器中再执行一次检查,以避免其他URI


http
  .sessionManagement()
  .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
  .and()
  .addFilterAfter( new Filter() {
      @Override
      public void init(FilterConfig filterConfig) throws ServletException {

      }

      @Override
      public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
          HttpServletRequest httpServletRequest = ((HttpServletRequest) request);
          if(httpServletRequest.getRequestURI().startsWith("/app/") || httpServletRequest.getRequestURI().startsWith("/rest/")) {
              // Do you secured filter computations

          } 
          chain.doFilter(request, response);
      }

      @Override
      public void destroy() {

      }}, UsernamePasswordAuthenticationFilter.class)
  .csrf()
  .disable() // Disabled, cause enabling it will cause sessions
  .headers()
  .frameOptions()
  .sameOrigin()
  .addHeaderWriter(new XXssProtectionHeaderWriter())
  .and()
  .authorizeRequests()
  .antMatchers("/app/**", "/rest/**")
  .hasAuthority(DefaultPrivileges.ACCESS_TASK)
  .anyRequest()
  .permitAll();



我意识到这有点混乱,但实际上有两个
antMatchers
方法,一个从
authorizedRequests
分支,另一个从
requestMatchers
分支

让我们看看下面的声明:


http
.requestMatchers()
.antMatchers(“/app/**”和“/api/**”)
.及()
.授权请求()
.antMatchers(“…”).authenticated()
...



requestMatchers()。因此,此筛选器链仅适用于以
/app
/api
开头的URI

让我们看另一个:


http
.授权请求()
.antMatchers(“/app/**”和“/api/**”)
.authenticated();


虽然这看起来是在做同样的事情,但事实并非如此。这是因为您正在调用属于
authorizeRequests()
antMatchers
方法

这就是为什么。因为DSL中有一个层次结构,所以您想要缩进,就像您想要缩进
if
语句一样

在Spring Security 5.2中,新的lambda DSL简化了这一点:


http
.requestMatchers(r->r.antMatchers(“/app/**”和“/api/**”)
.authorizeRequests(a->a.antMatchers(“…”).authorized();

http.authorizeRequests()
表示
http.antMatcher(“/**”).authorizeRequests()
。这意味着所有的URL都将被截取并进行授权验证。如果您希望将http安全配置限制在很少一组URL上,那么您应该选择http.antMatcher(“/app/**”,“/rest/**”).authorizeRequests()
,或者在advanced中,您可以选择requestMatcher,如中所示