Spring DelegatingFilterProxy正在不正确的路径上注册
我有一个带有定制Spring安全性的Spring启动应用程序。 我正在尝试更改springSecurityFilterChain的注册路径 我尝试了以下方法: 特性:Spring DelegatingFilterProxy正在不正确的路径上注册,spring,spring-boot,spring-security,Spring,Spring Boot,Spring Security,我有一个带有定制Spring安全性的Spring启动应用程序。 我正在尝试更改springSecurityFilterChain的注册路径 我尝试了以下方法: 特性: # spring spring.application.name = rest spring.main.web-environment = true # security security.basic.enabled=false # management management.port = 80 management.ssl.
# spring
spring.application.name = rest
spring.main.web-environment = true
# security
security.basic.enabled=false
# management
management.port = 80
management.ssl.enabled = false
management.context-path = /actuator
management.security.enabled = false
# server
server.port = 443
server.ssl.enabled = true
server.ssl.key-alias = tomcat
server.ssl.key-store = /usr/app/.keystore
server.ssl.key-store-password = tomcat
主要内容:
Web安全配置:
package com.example.security.config;
@Configuration
@EnableWebSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private TokenAuthenticationProvider tokenAuthenticationProvider;
@Autowired
private SSEAuthenticationProvider sseAuthenticationProvider;
@Autowired
private HMACAuthenticationProvider hmacAuthenticationProvider;
@Autowired
private CustomAuthenticationEntryPoint customAuthenticationEntryPoint;
@Bean
public SecurityContextRepository securityContextRepository() {
return new NullSecurityContextRepository();
}
@Bean
public TokenAuthenticationFilter tokenAuthenticationFilter() {
return new TokenAuthenticationFilter();
}
@Bean
public HMACAuthenticationFilter hmacAuthenticationFilter() {
return new HMACAuthenticationFilter();
}
@Bean
public SSEAuthenticationFilter sseAuthenticationFilter() {
return new SSEAuthenticationFilter();
}
@Bean
public CompositeFilter authFilters() {
CompositeFilter filter = new CompositeFilter();
filter.setFilters(Arrays.asList(hmacAuthenticationFilter(), tokenAuthenticationFilter()));
return filter;
}
@Bean
public FilterRegistrationBean securityFilterChainRegistration() {
DelegatingFilterProxy delegatingFilterProxy = new DelegatingFilterProxy();
delegatingFilterProxy.setTargetBeanName(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME);
FilterRegistrationBean registration = new FilterRegistrationBean(delegatingFilterProxy);
registration.addUrlPatterns("/services/*");
registration.setName(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME);
registration.setAsyncSupported(true);
return registration;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.requiresChannel()
.and()
.exceptionHandling().authenticationEntryPoint(customAuthenticationEntryPoint)
.and()
.anonymous()
.and()
.securityContext().securityContextRepository(securityContextRepository())
.and()
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/services/**").permitAll()
.antMatchers(HttpMethod.POST, "/services/users/authentication").permitAll()
.antMatchers(HttpMethod.POST, "/services/users").permitAll()
.antMatchers(HttpMethod.GET, "/services/users/*/sessions/*").permitAll()
.antMatchers("/actuator/**").permitAll()
.antMatchers("/services/notifications").hasRole("USER")
.anyRequest().hasRole("USER")
.and()
.addFilterBefore(sseAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(authFilters(), UsernamePasswordAuthenticationFilter.class);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(tokenAuthenticationProvider)
.authenticationProvider(sseAuthenticationProvider)
.authenticationProvider(hmacAuthenticationProvider);
}
}
但在日志中我仍然看到:
2017-03-12 14:11:27.899 INFO 5 --- [ main] o.s.b.f.s.DefaultListableBeanFactory : Overriding bean definition for bean 'securityFilterChainRegistration' with a different definition: replacing [Root bean: class [null]; scope=; abstract=false; lazyInit=false; autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=restApplication; factoryMethodName=securityFilterChainRegistration; initMethodName=null; destroyMethodName=(inferred); defined in com.example.RestApplication] with [Root bean: class [null]; scope=; abstract=false; lazyInit=false; autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=org.springframework.boot.autoconfigure.security.SecurityFilterAutoConfiguration; factoryMethodName=securityFilterChainRegistration; initMethodName=null; destroyMethodName=(inferred); defined in class path resource [org/springframework/boot/autoconfigure/security/SecurityFilterAutoConfiguration.class]]
....
[ost-startStop-1] .s.DelegatingFilterProxyRegistrationBean : Mapping filter: 'springSecurityFilterChain' to: [/*]
同时,我有不同的FilterRegistrationBean,它们已正确注册:
2017-03-12 14:11:35.669 INFO 5 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'headerHttpMethodOverrideFilter' to urls: [/services/*]
你能建议一个正确的配置吗?
谢谢。Spring Boot不支持以这种方式重新配置安全过滤器的路径模式,因为这是一件非常不寻常的事情。建议将过滤器配置为覆盖所有路径,然后使用Spring Security的标准配置机制来控制哪些路径是安全的,哪些不是 如果您确实想自定义过滤器的路径,那么您有两个选项:
@SpringBootApplication
上的exclude
属性禁用SecurityFilterAutoConfiguration
,并自行配置过滤器,包括设置其顺序和调度程序类型。这种方法将意味着任何与过滤器相关的安全性。*
属性都无效BeanPostProcessor
在注册bean上设置url模式。您可以使用bean的名称来识别它,该名称将是springSecurityFilterChain
。这种方法意味着安全性。*
属性仍然可以使用SpringBoot不支持以这种方式重新配置安全过滤器的路径模式,因为这是一件非常不寻常的事情。建议将过滤器配置为覆盖所有路径,然后使用Spring Security的标准配置机制来控制哪些路径是安全的,哪些不是 如果您确实想自定义过滤器的路径,那么您有两个选项:
@SpringBootApplication
上的exclude
属性禁用SecurityFilterAutoConfiguration
,并自行配置过滤器,包括设置其顺序和调度程序类型。这种方法将意味着任何与过滤器相关的安全性。*
属性都无效BeanPostProcessor
在注册bean上设置url模式。您可以使用bean的名称来识别它,该名称将是springSecurityFilterChain
。这种方法意味着安全性。*
属性仍然可以使用2017-03-12 14:11:35.669 INFO 5 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'headerHttpMethodOverrideFilter' to urls: [/services/*]