Spring Security未正确拦截?
我有一个Spring引导配置,看起来像这样:Spring Security未正确拦截?,spring,spring-boot,spring-security,Spring,Spring Boot,Spring Security,我有一个Spring引导配置,看起来像这样: http .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .addFilterBefore( new Filter(), UsernamePasswordAuthenticationFilter.class) .csrf().disable() // Disabled, cau
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.addFilterBefore( new Filter(), UsernamePasswordAuthenticationFilter.class)
.csrf().disable() // Disabled, cause enabling it will cause sessions
.headers()
.frameOptions()
.sameOrigin()
.addHeaderWriter(new XXssProtectionHeaderWriter())
.and()
.authorizeRequests()
.antMatchers("/app/**", "/rest/**").hasAuthority(DefaultPrivileges.ACCESS_TASK)
.anyRequest().permitAll();
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf().disable();
if (taskAppProperties.isRestEnabled()) {
if (restAppProperties.isVerifyRestApiPrivilege()) {
http
.antMatcher("/*-api/**")
.authorizeRequests()
.antMatchers("/*-api/**").hasAuthority(DefaultPrivileges.ACCESS_REST_API)
.and()
.httpBasic();
} else {
http
.antMatcher("/*-api/**")
.authorizeRequests()
.antMatchers("/*-api/**").authenticated()
.and()
.httpBasic();
}
} else {
http
.antMatcher("/*-api/**")
.authorizeRequests()
.antMatchers("/*-api/**").denyAll();
}
我的理解是,只有以/app
或/rest
开头的请求才会被我的自定义筛选器截获,但结果是请求被发送到根(http://localhost:8080/context/
)也被截获
我有多种Spring Security配置,其他配置如下:
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.addFilterBefore( new Filter(), UsernamePasswordAuthenticationFilter.class)
.csrf().disable() // Disabled, cause enabling it will cause sessions
.headers()
.frameOptions()
.sameOrigin()
.addHeaderWriter(new XXssProtectionHeaderWriter())
.and()
.authorizeRequests()
.antMatchers("/app/**", "/rest/**").hasAuthority(DefaultPrivileges.ACCESS_TASK)
.anyRequest().permitAll();
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf().disable();
if (taskAppProperties.isRestEnabled()) {
if (restAppProperties.isVerifyRestApiPrivilege()) {
http
.antMatcher("/*-api/**")
.authorizeRequests()
.antMatchers("/*-api/**").hasAuthority(DefaultPrivileges.ACCESS_REST_API)
.and()
.httpBasic();
} else {
http
.antMatcher("/*-api/**")
.authorizeRequests()
.antMatchers("/*-api/**").authenticated()
.and()
.httpBasic();
}
} else {
http
.antMatcher("/*-api/**")
.authorizeRequests()
.antMatchers("/*-api/**").denyAll();
}
有人能帮忙吗?
HttpSecurity.authorizeRequests
-返回ExpressionInterceptUrlRegistry
,我们正在设置匹配者和角色条件,将使用方法ExpressionInterceptUrlRegistry.getRegistry添加此方法,如果仅在发生实际身份验证的permitAll
存根处检查此方法的其他用法,则会添加此方法
我们使用HttpSecurity.addFilterBefore
添加的筛选器将不会检查任何请求匹配。如果需要,可以在自定义筛选器中再执行一次检查,以避免其他URI
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.addFilterAfter( new Filter() {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest httpServletRequest = ((HttpServletRequest) request);
if(httpServletRequest.getRequestURI().startsWith("/app/") || httpServletRequest.getRequestURI().startsWith("/rest/")) {
// Do you secured filter computations
}
chain.doFilter(request, response);
}
@Override
public void destroy() {
}}, UsernamePasswordAuthenticationFilter.class)
.csrf()
.disable() // Disabled, cause enabling it will cause sessions
.headers()
.frameOptions()
.sameOrigin()
.addHeaderWriter(new XXssProtectionHeaderWriter())
.and()
.authorizeRequests()
.antMatchers("/app/**", "/rest/**")
.hasAuthority(DefaultPrivileges.ACCESS_TASK)
.anyRequest()
.permitAll();
我意识到这有点混乱,但实际上有两个antMatchers
方法,一个从authorizedRequests
分支,另一个从requestMatchers
分支
让我们看看下面的声明:
http
.requestMatchers()
.antMatchers(“/app/**”和“/api/**”)
.及()
.授权请求()
.antMatchers(“…”).authenticated()
...
requestMatchers()。因此,此筛选器链仅适用于以/app
或/api
开头的URI
让我们看另一个:
http
.授权请求()
.antMatchers(“/app/**”和“/api/**”)
.authenticated();
虽然这看起来是在做同样的事情,但事实并非如此。这是因为您正在调用属于authorizeRequests()
的antMatchers
方法
这就是为什么。因为DSL中有一个层次结构,所以您想要缩进,就像您想要缩进if
语句一样
在Spring Security 5.2中,新的lambda DSL简化了这一点:
http
.requestMatchers(r->r.antMatchers(“/app/**”和“/api/**”)
.authorizeRequests(a->a.antMatchers(“…”).authorized();
http.authorizeRequests()
表示http.antMatcher(“/**”).authorizeRequests()
。这意味着所有的URL都将被截取并进行授权验证。如果您希望将http安全配置限制在很少一组URL上,那么您应该选择http.antMatcher(“/app/**”,“/rest/**”).authorizeRequests()
,或者在advanced中,您可以选择requestMatcher,如中所示