【问题标题】:Failing to exclude some URLs from Spring Security protection无法从 Spring Security 保护中排除某些 URL
【发布时间】:2016-07-17 08:29:02
【问题描述】:

我们有以下spring安全配置:

<bean id="authenticationSuccessHandler" class="***.JsonAuthenticationSuccessHandler"/>

    <bean id="logoutSuccessHandler" class="***.web.security.***UrlLogoutSuccessHandler">
        <property name="redirectStrategy" ref="noRedirectStrategy"/>
    </bean>

    <bean id="authenticationFailureHandler"
          class="***.web.security.***UrlAuthenticationFailureHandler"/>

    <bean id="httpStatusEntryPoint" class="org.springframework.security.web.authentication.HttpStatusEntryPoint">
        <constructor-arg value="UNAUTHORIZED"/>
    </bean>

    <security:http auto-config="true" use-expressions="false" entry-point-ref="httpStatusEntryPoint">
        <security:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrentSessionFilter"/>

        <security:form-login
                authentication-success-handler-ref="authenticationSuccessHandler"
                authentication-failure-handler-ref="authenticationFailureHandler"
                />

        <security:intercept-url pattern="/api/**"/>
        <security:anonymous enabled="false"/>
        <security:logout logout-url="/logout" delete-cookies="JSESSIONID,sessionId"
                         success-handler-ref="logoutSuccessHandler"
                />
        <security:csrf disabled="true"/>

        <security:session-management session-authentication-strategy-ref="sessionAuthenticationStrategy"/>
    </security:http>

    <bean id="concurrentSessionFilter" class="***.***ConcurrentSessionFilter">
        <constructor-arg ref="***SessionRegistry"/>
        <constructor-arg ref="errorController"/>
    </bean>

    <bean id="sessionAuthenticationStrategy" class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
        <constructor-arg>
            <list>
                <ref bean="registerSessionAuthenticationStrategy"/>
                <ref bean="concurrentSessionControlAuthenticationStrategy"/>
            </list>
        </constructor-arg>
    </bean>

    <bean id="registerSessionAuthenticationStrategy" class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy">
        <constructor-arg name="sessionRegistry" ref="***SessionRegistry" />
    </bean>

    <bean id="concurrentSessionControlAuthenticationStrategy" class="***.web.security.***ConcurrentSessionControlAuthenticationStrategy">
        <constructor-arg name="sessionRegistry" ref="***SessionRegistry" />
        <constructor-arg name="logoutService" ref="logoutService"/>
        <property name="maximumSessions" value="1" />
    </bean>

    <!-- enable spring security annotation processing -->
    <security:global-method-security secured-annotations="enabled"/>

    <bean id="***LdapAuthenticationProvider" class="***.web.***LdapAuthProvider">
        <property name="url" value="${ldap.url}"/>
        <property name="filter" value="${ldap.filter}"/>
        <property name="domain" value="${ldap.domain}"/>
        <property name="dn" value="${ldap.dn}"/>
        <property name="ldapEnabled" value="${ldap.enable}"/>
    </bean>

    <security:authentication-manager>
        <security:authentication-provider ref="***LdapAuthenticationProvider"/>
        <security:authentication-provider user-service-ref="***UserDetailsService"/>
    </security:authentication-manager>

    <bean id="usersResource" class="org.springframework.core.io.ClassPathResource">
        <constructor-arg value="/users.properties" />
    </bean>

    <util:property-path id="usersResourceFile" path="usersResource.file" />

    <bean id="***UserDetailsService" class="***.web.security.***InMemoryUserDetailsManager">
        <constructor-arg index="0" ref="usersResourceFile"/>
    </bean>

我尝试了不同的方法,但我找不到从身份验证中排除某些特定 URL 的方法。

例如:

/api/url/available/without/login

即使用户未登录也应该可用。

附言

我已尝试应用此答案,但对我不起作用:

https://stackoverflow.com/a/5382178/2674303

更新

我累了

    ....
    <bean id="httpStatusEntryPoint" class="org.springframework.security.web.authentication.HttpStatusEntryPoint">
        <constructor-arg value="UNAUTHORIZED"/>
    </bean>
    <security:http pattern="/api/url/available/without/login" security="none"/>
    <security:http auto-config="true" use-expressions="false" entry-point-ref="httpStatusEntryPoint">
    ....

但是当我尝试使用 - 这个网址仍然被锁定,我得到 401

因为这段代码:

 SecurityContext securityContext = SecurityContextHolder.getContext();
 Authentication authentication = securityContext.getAuthentication();
 if (authentication == null || !authentication.isAuthenticated()) {
       String name = authentication != null ? authentication.getName() : "";
       throw new BadCredentialsException("Could not find user " + name);
  }

抛出异常

【问题讨论】:

  • 链接的答案应该有效,您是否将&lt;http pattern="xxxx" security="none"/&gt; 放在security:http auto-config="true" 上方?
  • @RC 我更新了话题
  • 你能发布一个堆栈跟踪吗?
  • @RC。堆栈跟踪是什么意思?我没有看到异常
  • @RC。 org.springframework.security.authentication.BadCredentialsException

标签: java spring spring-security


【解决方案1】:

你只需要添加一个“默认”http拦截器:

<security:http xmlns="http://www.springframework.org/schema/security">
  <intercept-url pattern="/" access="permitAll()"/>
  <anonymous/>
  <csrf disabled="true"/>
</security:http>

在您当前的 security:http 标记之后。它将处理第一个 http 构造未处理的所有请求。

【讨论】:

  • org.springframework.beans.factory.parsing.BeanDefinitionParsingException:配置问题:无法建立 AuthenticationEntryPoint。请确保您已通过命名空间配置了登录机制(例如 form-login)或使用“entry-point-ref”属性指定自定义 AuthenticationEntryPoint |违规资源:类路径资源 [context-security.xml]跨度>
  • 好吧,尝试将添加到security标签中
  • 但是如果我想排除 5 个网址怎么办。我应该添加 5 个新的 security:http 标签吗?
  • 不,第一个 security:http 标签只处理对/api/** 的请求。第二个“默认”http 标签处理所有其他请求。如果您想保护一些新的 URL,则需要添加新的 http 标签(然后您需要将这些新的 https 标签放在“默认”之前)。
  • 如果添加带有特定 url BEFORE security:http标签的 security:http 标签实际上可以工作 /api/* *
猜你喜欢
  • 2022-10-19
  • 2014-03-07
  • 2016-03-16
  • 2011-03-24
  • 2014-06-18
  • 2016-06-03
  • 2020-08-09
  • 2016-07-15
  • 1970-01-01
相关资源
最近更新 更多