1. 首頁
  2. 問答
  3. 將security = none應用於上下文根和靜態資源:spring security version 3.1

將security = none應用於上下文根和靜態資源:spring security version 3.1

2012-05-09 50 views
3

我的應用程序編譯爲ROOT.war,這基本上意味着我沒有除/以外的上下文根。有些頁面需要保護;但是有些URL不需要它;例如我的http://localhost:8080/給出了這個應用程序的主頁;並有類似的頁面喜歡關於我們,聯繫我們等安全性是不需要的。所以我將其添加到配置將security = none應用於上下文根和靜態資源:spring security version 3.1

<security:intercept-url pattern="/" access="permitAll" /> 
    <security:intercept-url pattern="/resources/**" access="permitAll" /> 
    <security:intercept-url pattern="/register/confirm" access="isAuthenticated()" /> 
    <security:intercept-url pattern="/register/accept" access="isAuthenticated()" /> 
    <security:intercept-url pattern="/shopper/**" access="isAuthenticated()" />

但這只是說,允許用戶「無需認證」訪問這些URL,如果你訪問這些網址的安全過濾器都可以應用,如調試日誌

如下圖所示 
DEBUG: org.springframework.security.web.FilterChainProxy -/at position 1 of 12 in additional filter chain; firing Filter: 'ConcurrentSessionFilter' 
DEBUG: org.springframework.security.web.FilterChainProxy -/at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 
DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - No HttpSession currently exists 
DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created. 
DEBUG: org.springframework.security.web.FilterChainProxy -/at position 3 of 12 in additional filter chain; firing Filter: 'LogoutFilter' 
DEBUG: org.springframework.security.web.FilterChainProxy -/at position 4 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter' 
DEBUG: org.springframework.security.web.FilterChainProxy -/at position 5 of 12 in additional filter chain; firing Filter: 'OpenIDAuthenticationFilter' 
DEBUG: org.springframework.security.web.FilterChainProxy -/at position 6 of 12 in additional filter chain; firing Filter: 'BasicAuthenticationFilter' 
DEBUG: org.springframework.security.web.FilterChainProxy -/at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' 
DEBUG: org.springframework.security.web.FilterChainProxy -/at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' 
DEBUG: org.springframework.security.web.FilterChainProxy -/at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' 
DEBUG: org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.sprin[email protected]9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS' 
DEBUG: org.springframework.security.web.FilterChainProxy -/at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter' 
DEBUG: org.springframework.security.web.FilterChainProxy -/at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' 
DEBUG: org.springframework.security.web.FilterChainProxy -/at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' 
DEBUG: org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/'; against '/' 
DEBUG: org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /; Attributes: [permitAll] 
DEBUG: org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.sprin[email protected]9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS 
DEBUG: org.springframework.security.access.vote.AffirmativeBased - Voter: org.sp[email protected]2b06c17b, returned: 1 
DEBUG: org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Authorization successful 
DEBUG: org.springframework.security.web.access.intercept.FilterSecurityInterceptor - RunAsManager did not change Authentication object 
DEBUG: org.springframework.security.web.FilterChainProxy -/reached end of additional filter chain; proceeding with original chain 
DEBUG: org.springframework.web.servlet.DispatcherServlet - DispatcherServlet with name 'appServlet' processing GET request for [/

]

當我嘗試使用此配置(在序列下面提及):

<!-- No Security required for the ROOT Context --> 
    <security:http pattern="/**" security="none" /> 

<!-- Apply secyrity for shopper URLs --> 
<security:http auto-config="true" use-expressions="true" access-denied-page="/denied"> 
    <security:intercept-url pattern="/" access="permitAll" /> 
    <security:intercept-url pattern="/resources/**" access="permitAll" /> 
    <security:intercept-url pattern="/register/confirm" access="isAuthenticated()" /> 
    <security:intercept-url pattern="/register/accept" access="isAuthenticated()" /> 
    <security:intercept-url pattern="/shopper/**" access="isAuthenticated()"/
.... 
    </security:http> 

<security:http pattern="/resources/**" security="none" />

它打破了給錯誤

DEBUG: org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/auth/login'; against '/' 
DEBUG: org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/auth/login'; against '/resources/**' 
DEBUG: org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/auth/login'; against '/register/confirm' 
DEBUG: org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/auth/login'; against '/register/accept' 
DEBUG: org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/auth/login'; against '/shopper/**' 
DEBUG: org.springframework.security.config.http.DefaultFilterChainValidator - No access attributes defined for login page URL 
INFO : org.springframework.beans.factory.support.DefaultListableBeanFactory - Destroying singletons in org.s[email protected]5bebacc8: defining beans [placeholderConfig,dataSource,entityManagerFactory,org.springframework.aop.config.internalAutoProxyCreator,org.springframework.transaction.annotation.AnnotationTransactionAttributeSource#0,org.springframework.transaction.interceptor.TransactionInterceptor#0,org.springframework.transaction.config.internalTransactionAdvisor,transactionManager,org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostProcessor#0,registrationService,shopperService,org.springframework.context.annotation.internalConfigurationAnnotationProcessor,org.springframework.context.annotation.internalAutowiredAnnotationProcessor,org.springframework.context.annotation.internalRequiredAnnotationProcessor,org.springframework.context.annotation.internalCommonAnnotationProcessor,org.springframework.context.annotation.internalPersistenceAnnotationProcessor,org.springframework.security.filterChains,org.springframework.security.filterChainProxy,org.springframework.security.web.PortMapperImpl#0,org.springframework.security.config.authentication.AuthenticationManagerFactoryBean#0,org.springframework.security.authentication.ProviderManager#0,org.springframework.security.web.context.HttpSessionSecurityContextRepository#0,org.springframework.security.core.session.SessionRegistryImpl#0,org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy#0,org.springframework.security.web.savedrequest.HttpSessionRequestCache#0,org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler#0,org.springframework.security.access.vote.AffirmativeBased#0,org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0,org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator#0,org.springframework.security.authentication.AnonymousAuthenticationProvider#0,org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint#0,org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0,org.springframework.security.openid.OpenIDAuthenticationFilter#0,org.springframework.security.openid.OpenIDAuthenticationProvider#0,org.springframework.security.userDetailsServiceFactory,org.springframework.security.web.DefaultSecurityFilterChain#0,org.springframework.security.web.DefaultSecurityFilterChain#1,org.springframework.security.authentication.dao.DaoAuthenticationProvider#0,org.springframework.security.authentication.DefaultAuthenticationEventPublisher#0,org.springframework.security.authenticationManager,passwordEncoder,registrationAwareUserDetailsService,registrationAwareAuthSuccessHandler,org.springframework.context.annotation.ConfigurationClassPostProcessor$ImportAwareBeanPostProcessor#0]; root of factory hierarchy 
INFO : org.hibernate.impl.SessionFactoryImpl - closing 
ERROR: org.springframework.web.context.ContextLoader - Context initialization failed 
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.filterChainProxy': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: A universal match pattern ('/**') is defined before other patterns in the filter chain, causing them to be ignored. Please check the ordering in your <security:http> namespace or FilterChainProxy bean configuration

我真的不能明白這背後的原因。我是否必須實現自己的請求模式匹配器?

解決方案

<beans:bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy" > 
<beans:constructor-arg> 
    <beans:list> 
    <security:filter-chain pattern="/resources/**" 
    filters="none" /> 
    <security:filter-chain pattern="/aboutus" 
    filters="none" /> 
    <security:filter-chain pattern="/contactus" 
    filters="none" /> 
    <security:filter-chain pattern="/news" 
    filters="none" />  
    </beans:list> 
</beans:constructor-arg> 
</beans:bean>

來源

2012-05-09 Anadi Misra

回答

4

security="none"與模式/**捕獲所有的URL,所以沒有其他的規則可以適用。這是什麼原因在第二個例子中收到錯誤。

但是可以爲不同的URL模式定義不同的filter-chains。我沒有示例的這一新的語法,但是我這裏是用舊語法(的filter-chains順序很重要):

<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy"> 
    <sec:filter-chain-map path-type="ant"> 
     <sec:filter-chain pattern="/dwr/**" filters="securityContextPersistenceFilter,securityContextHolderAwareRequestFilter,rememberMeAuthenticationFilter,anonymousAuthenticationFilter" /> 
     <sec:filter-chain pattern="/**" filters="channelProcessingFilter,securityContextPersistenceFilter,logoutFilter,authenticationFilter,securityContextHolderAwareRequestFilter,rememberMeAuthenticationFilter,anonymousAuthenticationFilter,sessionManagementFilter,exceptionTranslationFilter,filterSecurityInterceptor,switchUserProcessingFilter" /> 
    </sec:filter-chain-map> 
</bean>

來源

2012-05-09 10:11:35

+0

**更新:**通過回答我刪除了第一個標記,即 <! - 無ROOT上下文所需的安全性 - > 第二個仍然是.ie資源配置;但我仍然得到相同的錯誤。 –

+0

你說你收到同樣的消息,包含短語'通用匹配模式('/ **')是在其他模式之前定義的嗎?也許你忘了重新部署? –

+0

準確;有些網址我不希望應用任何類型的過濾器;我認爲這是請求處理中不必要的步驟,並希望取消它。 –

3

更新:

這裏是我終於選擇了堅持語法用;因爲它使XML更容易閱讀和理解

<!-- Non secure URLs --> 
<security:http pattern="/" security='none' /> 
<security:http pattern="/home" security='none' /> 
<security:http pattern="/aboutus" security='none' /> 
... 
... 
<security:http pattern="/resources/**" security='none' /> 
<security:http pattern="/favicon.ico" security='none' /> 

<!-- URLs under security config --> 
    <security:http auto-config="true" use-expressions="true" pattern="/admin/**" access-denied-page="/denied"> 
     <security:intercept-url pattern="/admin/**" access="ROLE_ADMIN" requires-channel="https" /> 
    </security:http>

希望這會有所幫助。

來源

2012-10-18 09:12:32

相關問題

 相關問題