【问题标题】:Issues along migrating a comprehensive spring security xml based configuration (2.0.4) to java based configuration (4.2)将基于 Spring Security xml 的综合配置 (2.0.4) 迁移到基于 java 的配置 (4.2) 的问题
【发布时间】:2020-07-16 08:56:42
【问题描述】:

在 Spring security 2.0.4 中,声明如下,过滤器的位置也在各个 bean 声明中声明......

旧的 Security.xml

<sec:http session-fixation-protection="migrateSession">
    <sec:intercept-url pattern="/login.hm*" filters="none" requires-channel="https" />
    <sec:intercept-url pattern="/services/**" filters="none" requires-channel="https"/>
    <sec:intercept-url pattern="/widget/**" filters="none" requires-channel="https" />
    <sec:intercept-url pattern="/istore/theme/**" filters="none" requires-channel="https"/>
    <sec:intercept-url pattern="/logout.hm*" filters="none" requires-channel="https" />
    <sec:intercept-url pattern="/mstore/theme/**" filters="none" requires-channel="https"/>
    <sec:intercept-url pattern="/istore/history*" access="ROLE_UU" requires-channel="https"/>
    <sec:intercept-url pattern="/istore/consumer_goods*" access="ROLE_UU" requires-channel="https"/>
    <sec:intercept-url pattern="/istore/electronics*" access="ROLE_UU" requires-channel="https"/>
    <sec:intercept-url pattern="/istore/accessories*" access="ROLE_UU" requires-channel="https"/>
    <sec:intercept-url pattern="/istore/reward_redemption*" access="ROLE_UU" requires-channel="https"/>
    <sec:intercept-url pattern="/istore/**" access="ROLE_UU,ROLE_SSS" requires-channel="https"/>
    <sec:form-login
            login-page="${login.url}"
            login-processing-url="${login.processing.url}"
            default-target-url="${setuppassword.page.url}"
            authentication-failure-url="${login.failure.url}" always-use-default-target="false" />
</sec:http>

Spring Security: how to exclude certain resources?

https://www.baeldung.com/security-none-filters-none-access-permitAll

主要问题是某些 URL 模式没有排除过滤器,也没有以更精确的方式为其他模式设置过滤器。

附:我们还有 HDIV,它也在迁移中。

  1. 我们如何为特定 URL 配置过滤器和链顺序并忽略某些 URL?
  2. 基于 java 的配置好还是 XML 好?

启动日志

INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'characterEncodingFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'hiddenHttpMethodFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'httpPutFormContentFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'requestContextFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'springSecurityFilterChain' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'sitemesh' to urls: [*.hm]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'CustomSecurityHeaderFilter' to urls: []
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'HttpOnlyCookieFilter' to urls: [*.hm]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'ValidatorFilter' to urls: [*.hm]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'org.springframework.security.filterChainProxy' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter:'org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'httpOnlyCookieFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'logoutFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'iStoreFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'loginFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'preLoginFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: '_formLoginFilter' to: [/*]

【问题讨论】:

    标签: spring spring-boot filter spring-security hdiv


    【解决方案1】:

    我之前问过下面这个问题,因为没有重点而被删除,所以重新查询它自己回答,因为我觉得它可能对其他人也有用。

    https://stackoverflow.com/questions/60221667/custom-filters-being-called-by-spring-and-mapped-to-even-after-specifying-se

    对于向版本 3 及更高版本的 Spring 安全迁移,您可以简单地扩展 WebSecurityConfigurerAdapter 并覆盖使用构建器模式进行基于 JAVA 的配置的方法,这更简单、细化和容易,

    1. 第一个添加带有角色的 URL 模式、身份验证提供程序、身份验证处理程序(成功/失败)、注销、注销处理程序、会话管理配置、具有定义位置的过滤器集等。
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests()
                    .antMatchers("/istore/link.jsp").hasAnyAuthority("UU", "SSS")
                    .antMatchers("/istore/**/*.jsp").hasAuthority("RESTRICT")
                    .antMatchers("/mstore/**/*.jsp").hasAuthority("RESTRICT")
                    .antMatchers("/istore/card*").hasAuthority("UU")
                    .antMatchers("/istore/history*").hasAuthority("UU")
                    .antMatchers("/istore/orders*").hasAuthority("UU")
                    .antMatchers("/istore/consumer_goods*").hasAuthority("UU")
                    .antMatchers("/istore/electronics*").hasAuthority("UU")
                    .antMatchers("/istore/reward_redemption*").hasAuthority("UU")
                    .antMatchers("/istore/accessories*").hasAuthority("UU")
                    .antMatchers("/istore/privelege_card*").hasAuthority("UU")
                    .antMatchers("/istore/profile*").hasAuthority("UU")
                    .antMatchers("/istore/reward_redemption*").hasAuthority("UU")
                    .antMatchers("/istore/addresses*").hasAuthority("UU")
                    .antMatchers("/istore/**").hasAuthority("UU")
                    .and()
                    .formLogin()
                    .loginPage("/login.hm")
                    .failureUrl("/login.hm?err=1")
                    .loginProcessingUrl("/istore_check.hm")
                    .and()
                    .authenticationProvider(authProvider)
                    .logout()
                    .and()
                    .csrf().disable()
                    .addFilterBefore(iStoreFilter, ChannelProcessingFilter.class)
                    .addFilterAfter(loginFilter, BasicAuthenticationFilter.class)
                    .addFilterAt(logoutFilter, org.springframework.security.web.authentication.logout.LogoutFilter.class)
                    .addFilterAt(authenticationProcessingFilter, UsernamePasswordAuthenticationFilter.class)
                    .sessionManagement().sessionFixation().migrateSession();
        }
    
    1. 第二个忽略特定 URL 模式的 spring 安全过滤器链中的安全过滤器。
        @Override
        public void configure(WebSecurity web) throws Exception {
            web.ignoring().antMatchers("/services/**")
                    .antMatchers(HttpMethod.GET,"/monitor/health")
                    .antMatchers(HttpMethod.GET,"/widget/**")
                    .antMatchers(HttpMethod.GET,"/login.hm*")
                    .antMatchers(HttpMethod.GET,"/istore/login.jsp")
                    .antMatchers(HttpMethod.GET,"/istore/logout.jsp")
                    .antMatchers(HttpMethod.GET,"/registration.hm*")
                    .antMatchers(HttpMethod.GET,"/tnc.hm*")
                    .antMatchers(HttpMethod.GET,"/istore/clicktochat/**")
                    .antMatchers(HttpMethod.GET,"/logout.hm")
                    .antMatchers(HttpMethod.GET,"/istore/theme/**")
                    .antMatchers(HttpMethod.GET,"/mstore/theme/**")
                    .antMatchers(HttpMethod.GET,"/js/**")
                    .antMatchers(HttpMethod.GET,"/breeze/**")
                    .antMatchers(HttpMethod.GET,"/resources/**")
                    .antMatchers(HttpMethod.GET,"/crossdomain.xml")
        }
    
    1. 第三个是使身份验证管理器 bean 可用,它以前作为 _authenticationManager 可用,但现在它被声明为一个 bean,如下所示,以注入到之前的 AbstractAuthenticationProcessingFilter 实现中AbstractProcessingFilter。
        @Override
        @Bean (name ="authenticationManagerBean")
        public AuthenticationManager authenticationManagerBean() throws Exception {
            return super.authenticationManagerBean();
        }
    

    PS 请记住,对于从 3 及以下的迁移,具有基于 xml 的配置来检查您的 web.xml,因为 servlet 和过滤器注册是一个重要部分,如果它做得不那么精确,您会发现自己在其他地方调试如果正在使用 HDIV,请将其移除并并行迁移,而不是一起迁移。

    【讨论】:

      猜你喜欢
      • 2021-02-15
      • 2014-09-25
      • 2012-02-01
      • 2013-03-13
      • 1970-01-01
      • 2020-04-10
      • 1970-01-01
      • 2012-04-09
      • 2014-07-05
      相关资源
      最近更新 更多