突然之間,我的應用程序的安全性被破壞了。它與antMatchers.(<patterns>).permitAll()
中的模式不匹配,並且正在嘗試對所有網址進行身份驗證。下面的代碼Spring Security:antMatchers不符合URL模式
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(preauthAuthProvider());
}
@Bean
public PreAuthenticatedAuthenticationProvider preauthAuthProvider() {
PreAuthenticatedAuthenticationProvider preauthAuthProvider = new PreAuthenticatedAuthenticationProvider();
preauthAuthProvider.setPreAuthenticatedUserDetailsService(userDetailsServiceWrapper());
return preauthAuthProvider;
}
@Bean
public HeaderPreAuthProcessingFilter ssoFilter() throws Exception {
HeaderPreAuthProcessingFilter filter = new HeaderPreAuthProcessingFilter();
filter.setPrincipalRequestHeader("user_id");
CustomUserDetailsService userDetSer = new CustomUserDetailsService();
userDetSer.setUserService(userService);
filter.setExceptionIfHeaderMissing(false);
filter.setCustomUserDetailsService(userDetSer);
filter.setAuthenticationManager(authenticationManager());
return filter;
}
@Bean
public UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> userDetailsServiceWrapper() {
CustomUserDetailsService userDetSer = new CustomUserDetailsService();
userDetSer.setUserService(userService);
UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper = new UserDetailsByNameServiceWrapper<>();
wrapper.setUserDetailsService(userDetSer);
return wrapper;
}
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.addFilterBefore(ssoFilter(), RequestHeaderAuthenticationFilter.class)
.authenticationProvider(preauthAuthProvider());
httpSecurity
.exceptionHandling()
.authenticationEntryPoint(httpAuthenticationEntryPoint)
.and()
.authorizeRequests()
.antMatchers("/resources/**", "/", "/applogin", "/login", "/logout", "/verify**", "/verify/**", "/pub/**")
.permitAll()
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginPage("/signin")
.loginProcessingUrl("/signin")
.failureUrl("/signin?error")
.permitAll()
.successHandler(authSuccessHandler)
.failureHandler(authFailureHandler)
.and()
.logout()
.logoutUrl("/signout").invalidateHttpSession(true).permitAll()
.logoutSuccessHandler(logoutSuccessHandler)
.and()
.csrf().disable();
}
我正在嘗試訪問{{url}}/applogin
。下面是日誌
DEBUG 17458 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /applogin at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG 17458 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /applogin at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG 17458 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
DEBUG 17458 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
DEBUG 17458 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /applogin at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.se[email protected]49168180
DEBUG 17458 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /applogin at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/signout', GET]
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /applogin' doesn't match 'GET /signout
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/signout', POST]
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/applogin'; against '/signout'
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/signout', PUT]
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /applogin' doesn't match 'PUT /signout
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/signout', DELETE]
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /applogin' doesn't match 'DELETE /signout
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
DEBUG 17458 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /applogin at position 5 of 12 in additional filter chain; firing Filter: 'HeaderPreAuthProcessingFilter'
INFO 17458 --- [nio-8080-exec-1] t.l.c.w.HeaderPreAuthProcessingFilter : Authenticating [POST /applogin]
...
< application logs >
...
DEBUG 17458 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Null ModelAndView returned to DispatcherServlet with name 'dispatcherServlet': assuming HandlerAdapter completed request handling
DEBUG 17458 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Successfully completed request
我使用Spring Security的4.2.1版
你改變了什麼?我會說,它從來沒有奏效。認證和授權有區別。你的'HeaderPreAuthProcessingFilter'使認證(這太寬泛了)和Spring進行授權(如你的配置中配置)。 – dur
所以你說的代碼是越野車?實際上應用程序已經運行了一年多了,但幾個星期前我已經掌握了它。爲了改進代碼標準,我對代碼進行了一些更改。但我對Spring的安全性並不強。因此,問題。 – shyam
沒有什麼比'HeaderPreAuthProcessingFilter'中的一些重構。 – shyam