如何用Spring Security和SSL忽略一些路径？

这是我的Spring配置：如何用Spring Security和SSL忽略一些路径？

import org.springframework.context.annotation.Bean; 
import org.springframework.context.annotation.Configuration; 
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; 
import org.springframework.security.config.annotation.web.builders.HttpSecurity; 
import org.springframework.security.config.annotation.web.builders.WebSecurity; 
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; 
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; 
import org.springframework.security.config.http.SessionCreationPolicy; 
import org.springframework.security.core.authority.AuthorityUtils; 
import org.springframework.security.core.userdetails.User; 
import org.springframework.security.core.userdetails.UserDetails; 
import org.springframework.security.core.userdetails.UserDetailsService; 
import org.springframework.security.core.userdetails.UsernameNotFoundException; 

@Configuration 
@EnableWebSecurity 
@EnableGlobalMethodSecurity(prePostEnabled = true) 
public class X509Configuration extends WebSecurityConfigurerAdapter { 

    @Override 
    public void configure(WebSecurity web) throws Exception { 
     web.ignoring().antMatchers("/ws/items.wsdl"); 
    } 

    @Override 
    public void configure(final HttpSecurity http) throws Exception { 
     http 
      .sessionManagement() 
       .sessionCreationPolicy(SessionCreationPolicy.NEVER) 
       .and() 
      .authorizeRequests() 
       .antMatchers("/ws/items.wsdl").permitAll() 
       .and() 
      // require authorization for everything else 
      .authorizeRequests() 
       .anyRequest().authenticated() 
       .and() 
      .x509() 
       .subjectPrincipalRegex("CN=(.*?)(?:,|$)") 
       .userDetailsService(userDetailsService()) 
       .and() 
      .csrf().disable() 

      // configure form login 
      .formLogin().disable() 

      // configure logout 
      .logout().disable(); 
    } 

    @Bean 
    public UserDetailsService userDetailsService() { 
     return new UserDetailsService() { 
      @Override 
      public UserDetails loadUserByUsername(String username) { 
       if (username.equals("cid")) { 
        return new User(username, "", 
         AuthorityUtils 
           .commaSeparatedStringToAuthorityList("ROLE_USER")); 
       } 
       throw new UsernameNotFoundException("User not found!"); 
      } 
     }; 
    } 
}

这些SSL设置：

server: 
    port: 8443 
    ssl: 
    enabled: true 
    key-store: 'classpath:keystore.jks' 
    key-store-password: 'changeit' 
    key-password: 'changeit' 
    trust-store: 'classpath:truststore.jks' 
    trust-store-password: 'changeit' 
    client-auth: need

我想是忽略SSL或允许我所有的WSDL网站。但使用此配置它不起作用。我收到以下错误：

http https://localhost:8443/ws/items.wsdl http: error: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645) while doing GET request to URL: https://localhost:8443/ws/items.wsdl

我不想使用ca签名证书。（使用签名的证书才有效。）我该怎么做？我有什么选择？

来源

2016-11-08 user1648825

不，我只有https连接器，并希望允许我的WSDL不安全。如果它不起作用，我可以打开一个新的HTTP连接，如http://stackoverflow.com/a/36623801/1648825中所述。 – user1648825

你能解决你的问题吗？我现在正是这种情况。 – ram

-1

删除此：

.authorizeRequests() 
       .antMatchers("/ws/items.wsdl").permitAll()

web配置是说忽略路径，但你的HTTP安全的话语，并发出请求到该路径经过身份验证。

来源

2016-11-08 19:45:17 Gandalf

它没有帮助。在浏览器中，我得到'localhost：8443使用了一个无效的安全证书。证书不可信，因为它是自签名的。错误代码：SEC_ERROR_UNKNOWN_ISSUER' 和http cli： 'http https：// localhost：8443/ws/items.wsdl'' http：错误：SSLError：[SSL：CERTIFICATE_VERIFY_FAILED]证书验证失败（_ssl.c：645）同时对URL进行GET请求：https：// localhost：8443/ws/items.wsdl' – user1648825

如何用Spring Security和SSL忽略一些路径？

回答

相关问题