1. 首页
  2. 问答
  3. 弹簧(引导)安全预认证与允许的资源仍然认证

弹簧(引导)安全预认证与允许的资源仍然认证

2017-08-31 97 views
0

我使用Spring Boot 1.5.6(也试过1.5.4)。 我使用的是弹簧(引导)安全预认证与允许的资源仍然认证

RequestHeaderAuthenticationFilter 


PreAuthenticatedAuthenticationProvider

,以确保我的Spring MVC的Web应用程序,并允许访问这两个控制器的路径和静态资源。

在我

RequestHeaderAuthenticationFilter

成立我想

setExceptionIfHeaderMissing(true);

,让我知道,如果头变量在请求被发送。

当我尝试访问任何许可的资源的使用,Spring Security看起来总是在请求头变量,并抛出一个

PreAuthenticatedCredentialsNotFoundException

为什么春季安全仍试图查找该预验证主要即使我正在尝试访问允许的(不受保护的)资源? 我如何绕过这种行为?

我对WebSecurityConfigurerAdapter Java的配置低于

@Configuration 
@EnableWebSecurity 
public class SecurityConfig extends WebSecurityConfigurerAdapter{ 


private static final Logger log = LoggerFactory.getLogger(SecurityConfig.class); 


@Autowired 
protected UserDetailsService userDetailsService; 



@Bean 
public PreAuthenticatedAuthenticationProvider preAuthenticatedAuthenticationProvider(){ 

    log.info("Configuring pre authentication provider"); 

    UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper = 
      new UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken>(
        userDetailsService); 

    PreAuthenticatedAuthenticationProvider it = new PreAuthenticatedAuthenticationProvider(); 
    it.setPreAuthenticatedUserDetailsService(wrapper); 

    return it;  
} 

@Bean 
public RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter() throws Exception{ 

    RequestHeaderAuthenticationFilter it = new RequestHeaderAuthenticationFilter(); 
    it.setAuthenticationManager(authenticationManager()); 
    it.setExceptionIfHeaderMissing(true); 
    return it; 
} 

@Override 
public void configure(AuthenticationManagerBuilder auth) throws Exception { 
    log.info("configure authentication provider"); 
    auth.authenticationProvider(preAuthenticatedAuthenticationProvider()); 

} 


@Override 
protected void configure(HttpSecurity http) throws Exception { 
    log.info("Configure HttpSecurity"); 
    http 
     .authorizeRequests() 
      .antMatchers("/permitted/**", "/css/**", "/js/**", "/images/**", "/webjars/**") 
       .permitAll() 
      .anyRequest() 
        .authenticated() 
      .and().addFilter(requestHeaderAuthenticationFilter()) 

    ; 
}  


@Override 
public void configure(WebSecurity web) throws Exception { 
    web 
     .ignoring() 
      .antMatchers("/permitted/**", "/css/**", "/js/**", "/images/**", "/webjars/**"); 
} 
}

来源

2017-08-31 Sumit

回答

0

我有同样的问题,事实证明这是相关的事实,除了被注册到SecurityFilterChain,春天引导也注册RequestHeaderAuthenticationFilter与Servlet上下文。解决方法是使用FilterRegistrationBean来防止Boot通过Servlet Context自动注册过滤器。

更多细节在这里: Spring Boot Security PreAuthenticated Scenario with Anonymous access

来源

2018-02-28 20:11:22

相关问题

 相关问题