2017-06-06 70 views
0

我有一個Vaadin應用程序,使用spring安全OAuth2進行安全保護。除了臨時的PUSH或HEARTBEAT端點被用於首先請求並因此觸發認證過程並且用戶在錯誤的頁面上結束(這些端點不應該被用戶直接訪問)之外,這工作正常。spring security oauth2在重定向之前操縱請求url

一個簡單但不安全的修復方法是針對這些端點上的permitAll()。然而,由於這構成威脅,我需要關閉這個洞。

要做到這一點,我想解析並潛在地編輯請求url,然後重定向到successfull auth。我會如何去做這件事?

我想我需要在鏈中的某處添加一個過濾器來攔截請求並對其進行編輯。但我不知道在哪裏。

這裏是我的客戶:

@Configuration 
@EnableOAuth2Sso 
public class OAuthConfig extends WebSecurityConfigurerAdapter 
{ 

    @Override 
    protected void configure(HttpSecurity http) throws Exception 
    { 
     http.csrf().disable() 
       .authorizeRequests() 
       .antMatchers("/login**").permitAll() 
       .antMatchers("/vaadinServlet/PUSH/**").permitAll()   //todo fix this hole 
       .antMatchers("/vaadinServlet/HEARTBEAT/**").permitAll()  //todo fix this hole 
       .anyRequest().authenticated() 
       .and() 
       .logout() 
       .logoutSuccessUrl("/") 
       .logoutRequestMatcher(new AntPathRequestMatcher("/logout")); 

    } 

    @Override 
    public void configure(WebSecurity web) throws Exception 
    { 
     web.ignoring().antMatchers("/css/*").antMatchers("/VAADIN/**"); // Static resources are ignored 
    } 

} 

而且服務器:

@Configuration 
@EnableAuthorizationServer 
public class OAuth2Config extends AuthorizationServerConfigurerAdapter 
{ 
//jwt token stuff & my own client/auth providers. Should not be important. 
... 
} 

服務器登錄表單:

@Configuration 
public class WebSecurityConfig extends WebSecurityConfigurerAdapter 
{ 

    @Autowired 
    private RestAuthenticationProvider authenticationProvider; 

    @Override 
    public void configure(AuthenticationManagerBuilder auth) throws Exception 
    { 
     auth.authenticationProvider(authenticationProvider); 
    } 

    @Override 
    protected void configure(HttpSecurity http) throws Exception 
    { 
     http 
       .authorizeRequests() 
       .antMatchers(HttpMethod.GET, "/forgetPassword*").permitAll() 
       .antMatchers(HttpMethod.POST,"/user/resetPassword*").permitAll() 
       .antMatchers(HttpMethod.GET,"/user/changePassword*").permitAll() 
       .antMatchers("/user/updatePassword*", "/user/savePassword*", "/updatePassword*") 
       .hasAnyAuthority("CHANGE_PASSWORD_PRIVILEGE","ROLE_USER") 
       .anyRequest().authenticated() 
       .and() 
        .formLogin() 
        .loginPage("/login") 
        .permitAll() 
       .and() 
        .csrf().csrfTokenRepository(csrfTokenRepository()); 
    } 

    private CsrfTokenRepository csrfTokenRepository() 
    { 
     HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository(); 
     repository.setHeaderName("X-XSRF-TOKEN"); 
     return repository; 
    } 

} 

回答

0

只需添加一些實施與項目

1 : 創建驗證失敗處理器

@Component 
public class CustomAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler { 


    @Override 
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException { 
     System.out.print("here failure"); 



     String s=request.getParameter("username"); 
     setDefaultFailureUrl("/login?error&username="+s); 
     super.onAuthenticationFailure(request,response,exception); 
    } 

} 

2:身份驗證成功處理程序

@Component 
public class CustomAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler { 

    @Override 
    public void onAuthenticationSuccess(HttpServletRequest request , HttpServletResponse response, Authentication authentication) throws IOException, ServletException { 
     /* custom Block 
Do any thing here 
    */ 

     setDefaultTargetUrl("/home/"); 
     super.onAuthenticationSuccess(request,response,authentication); 
    } 
} 

3:訪問​​請求切入點

@Component 
public class CustomAuthenticationEntryPoint implements AuthenticationEntryPoint { 
    @Override 
    public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException { 
     System.out.print("Unauthorized Access"); 

     httpServletResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED); 
    } 
} 

實現組件按您的要求。

+0

感謝您的回答,但是您能否澄清這些用途?我應該將這些添加到服務器還是客戶端?如果用戶服務沒有被使用,爲什麼你會自動裝入這些用戶服務? –

+0

是的,我看到你刪除了userservice ..但我仍然不知道如何使用這個答案。我認爲成功處理者將是我真正需要的唯一部分,但我不知道在哪裏添加它。 –

+0

按照我的示例在組件掃描目錄下創建這些類,然後在導航的時間和地點調試項目。 –

相關問題