【发布时间】:2014-03-03 22:07:56
【问题描述】:
所以我有一个使用 spring-security-core:1.2.7.3 的标准 grails 2.2.1 应用程序。我有一个自定义过滤器,用于验证应用程序受限部分的密码。
如果我点击另一个受限 URL,我可以看到 spring 过滤器链抛出以下异常
Secure object: FilterInvocation: URL: /list; Attributes: [ROLE_USER]
如果用户尚未登录,这是正确的,因为他们还没有分配角色。其他过滤器,即 /landing URL 正在限制访问。但是,当用户点击 URL 时,这不会被抛出
/press/meta
应用程序是这样配置的;
Config.groovy
grails.plugins.springsecurity.interceptUrlMap = [
'/landing/**': ['ROLE_USER','ROLE_ADMIN'],
'/press/**': ['ROLE_USER','ROLE_ADMIN'],
'/list/**': ['ROLE_USER'],
'/**': ['IS_AUTHENTICATED_ANONYMOUSLY']
]
UrlMappings.groovy
"/$controller/$action?/$id?"{
constraints {
// apply constraints here
}
}
"/press/meta" ( view:"/meta/index" )
我的所有控制器和应用程序功能都按预期工作,但是当我点击 URL 时
http://localhost:8080/WebSite/press/meta?pass=password1
即使用户未登录,它也不会限制访问。但自定义过滤器会验证密码,如果正确,将允许用户继续。如果创建密码,过滤器返回真/假。
日志如下所示;
06,02 18:41:51:097 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - Converted URL to lowercase, from: '/press/meta'; to: '/press/meta'
06,02 18:41:51:098 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - Candidate is: '/press/meta'; pattern is /**; matched=true
06,02 18:41:51:098 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?pass=password at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
06,02 18:41:51:099 [http-bio-8080-exec-1] DEBUG context.HttpSessionSecurityContextRepository - No HttpSession currently exists
06,02 18:41:51:099 [http-bio-8080-exec-1] DEBUG context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
06,02 18:41:51:100 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 2 of 8 in additional filter chain; firing Filter: 'MutableLogoutFilter'
06,02 18:41:51:100 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 3 of 8 in additional filter chain; firing Filter: 'RequestHolderAuthenticationFilter'
06,02 18:41:51:101 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
06,02 18:41:51:102 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 5 of 8 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
06,02 18:41:51:102 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 6 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
06,02 18:41:51:102 [http-bio-8080-exec-1] DEBUG authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6faaf9b0: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
06,02 18:41:51:103 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
06,02 18:41:51:103 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
06,02 18:41:51:115 [http-bio-8080-exec-1] DEBUG intercept.FilterSecurityInterceptor - Public object - authentication not attempted
06,02 18:41:51:116 [http-bio-8080-exec-1] DEBUG web.FilterChainProxy - /press/meta?secret=secret1 reached end of additional filter chain; proceeding with original chain
06,02 18:41:51:151 [http-bio-8080-exec-1] DEBUG portal.AdminFilters - Admin secret matched, proceeding
06,02 18:41:51:553 [http-bio-8080-exec-1] DEBUG access.ExceptionTranslationFilter - Chain processed normally
我正在尝试找出这里的最佳实践,或者在自定义过滤器中执行一些弹簧安全逻辑,如果用户没有正确的角色抛出异常,但我宁愿让 config.groovy 管理这个!
感谢任何帮助或建议。
J
【问题讨论】:
-
您是否尝试在 Config.groovy 中为 "/press/meta" 添加自定义规则?
标签: spring grails filter spring-security