我在GWT應用程序中使用Spring Security 3.2.5。我需要精細控制對安全所以就用下面的配置,而不是元素組成:當使用<filter-chain>標籤時相當於(requires-channel =「https」)
<beans:bean id="springSecurityFilterChain"
class="org.springframework.security.web.FilterChainProxy">
<beans:constructor-arg>
<beans:list>
<filter-chain pattern="/css/**" filters="none" />
<filter-chain pattern="/image/**" filters="none" />
<filter-chain pattern="/index.jsp" filters="none" />
<filter-chain pattern="/**/logout" filters="logoutFilter" />
<filter-chain pattern="/**"
filters="securityContextPersistenceFilterWithASCTrue, concurrentSessionFilter, usernamePasswordAuthenticationFilter, exceptionTranslationFilter, filterSecurityInterceptor" />
</beans:list>
</beans:constructor-arg>
</beans:bean>
我省略特定的過濾器的實施方式。
我需要最給力的過濾器鏈的上面使用標籤時,在下面的示例中使用https,如:
<security:intercept-url pattern="/reports" access="ROLE_ADMIN" requires-channel="https"/>
我怎樣才能做到這一點?
EDIT 1:添加ChannelProcessingFilter
繼@luke答案我修改代碼,以便信道濾波器是在過濾器鏈的第一位置:
<filter-chain pattern="/**"
filters="channelProcessingFilter, securityContextPersistenceFilterWithASCTrue, ..." />
我還添加以下豆配置:
<!-- Ensure https channel -->
<beans:bean id="filterSecurityInterceptor"
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="securityMetadataSource">
<filter-security-metadata-source>
<intercept-url pattern="/**" access="ROLE_USER" />
</filter-security-metadata-source>
</beans:property>
</beans:bean>
<beans:bean id="channelProcessingFilter" class="org.springframework.security.web.access.channel.ChannelProcessingFilter">
<beans:property name="channelDecisionManager" ref="channelDecisionManager"/>
<beans:property name="securityMetadataSource">
<filter-security-metadata-source request-matcher="ant">
<intercept-url pattern="/**" access="REQUIRES_SECURE_CHANNEL"/>
</filter-security-metadata-source>
</beans:property>
</beans:bean>
<beans:bean id="channelDecisionManager" class="org.springframework.security.web.access.channel.ChannelDecisionManagerImpl">
<beans:property name="channelProcessors">
<beans:list>
<beans:ref bean="secureChannelProcessor"/>
<beans:ref bean="insecureChannelProcessor"/>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id="secureChannelProcessor" class="org.springframework.security.web.access.channel.SecureChannelProcessor" />
<beans:bean id="insecureChannelProcessor" class="org.springframework.security.web.access.channel.InsecureChannelProcessor" />
現在的問題是,我收到我的LO後無限循環杜松子酒的形式通過HTTP。當然這是我想避免的情況,但是一個無限循環是不正確的。這是相關日誌:
DEBUG o.s.s.w.FilterChainProxy 337 -/j_spring_security_check在 位置的額外的過濾器鏈6 1;發射器: 'ChannelProcessingFilter'
DEBUG o.s.s.w.a.c.ChannelProcessingFilter 134 - 請求:FilterInvocation:網址:/ j_spring_security_check; ConfigAttributes:[REQUIRES_SECURE_CHANNEL] 2014-10-30 19:47:10565
DEBUG osswacRetryWithHttpsEntryPoint 55 - 重定向到: /j_spring_security_check 2014-10-30 19:47:10567 DEBUG osswDefaultRedirectStrategy 36 - 重定向到 '/j_spring_security_check'
有什麼想法嗎?
Hi @luke。我在'RetryWithHttpsEntryPoint 55 - 重定向到:/ j_spring_security_check'中得到一個無限循環。請看看我上面的編輯 – Taka 2014-10-30 18:40:07
你有HTTPS設置正確嗎?即,您是否可以通過HTTPS訪問應用程序並在沒有額外過濾器的情況下登錄? – 2014-10-30 21:14:47
是的,我刪除了_channelProcessingFilter_,我可以使用https登錄。我也測試過把_channelProcessingFilter_放回去,我可以通過純http訪問。這一切是否正常?順便說一句,服務器是Jetty嵌入GWT Eclipse插件 – Taka 2014-10-31 08:16:16