突然之间,我的应用程序的安全性被破坏了。它与antMatchers.(<patterns>).permitAll()
中的模式不匹配,并且正在尝试对所有网址进行身份验证。下面的代码Spring Security:antMatchers不符合URL模式
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(preauthAuthProvider());
}
@Bean
public PreAuthenticatedAuthenticationProvider preauthAuthProvider() {
PreAuthenticatedAuthenticationProvider preauthAuthProvider = new PreAuthenticatedAuthenticationProvider();
preauthAuthProvider.setPreAuthenticatedUserDetailsService(userDetailsServiceWrapper());
return preauthAuthProvider;
}
@Bean
public HeaderPreAuthProcessingFilter ssoFilter() throws Exception {
HeaderPreAuthProcessingFilter filter = new HeaderPreAuthProcessingFilter();
filter.setPrincipalRequestHeader("user_id");
CustomUserDetailsService userDetSer = new CustomUserDetailsService();
userDetSer.setUserService(userService);
filter.setExceptionIfHeaderMissing(false);
filter.setCustomUserDetailsService(userDetSer);
filter.setAuthenticationManager(authenticationManager());
return filter;
}
@Bean
public UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> userDetailsServiceWrapper() {
CustomUserDetailsService userDetSer = new CustomUserDetailsService();
userDetSer.setUserService(userService);
UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper = new UserDetailsByNameServiceWrapper<>();
wrapper.setUserDetailsService(userDetSer);
return wrapper;
}
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.addFilterBefore(ssoFilter(), RequestHeaderAuthenticationFilter.class)
.authenticationProvider(preauthAuthProvider());
httpSecurity
.exceptionHandling()
.authenticationEntryPoint(httpAuthenticationEntryPoint)
.and()
.authorizeRequests()
.antMatchers("/resources/**", "/", "/applogin", "/login", "/logout", "/verify**", "/verify/**", "/pub/**")
.permitAll()
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginPage("/signin")
.loginProcessingUrl("/signin")
.failureUrl("/signin?error")
.permitAll()
.successHandler(authSuccessHandler)
.failureHandler(authFailureHandler)
.and()
.logout()
.logoutUrl("/signout").invalidateHttpSession(true).permitAll()
.logoutSuccessHandler(logoutSuccessHandler)
.and()
.csrf().disable();
}
我正在尝试访问{{url}}/applogin
。下面是日志
DEBUG 17458 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /applogin at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG 17458 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /applogin at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG 17458 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
DEBUG 17458 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
DEBUG 17458 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /applogin at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.se[email protected]49168180
DEBUG 17458 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /applogin at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/signout', GET]
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /applogin' doesn't match 'GET /signout
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/signout', POST]
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/applogin'; against '/signout'
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/signout', PUT]
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /applogin' doesn't match 'PUT /signout
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/signout', DELETE]
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /applogin' doesn't match 'DELETE /signout
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
DEBUG 17458 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /applogin at position 5 of 12 in additional filter chain; firing Filter: 'HeaderPreAuthProcessingFilter'
INFO 17458 --- [nio-8080-exec-1] t.l.c.w.HeaderPreAuthProcessingFilter : Authenticating [POST /applogin]
...
< application logs >
...
DEBUG 17458 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Null ModelAndView returned to DispatcherServlet with name 'dispatcherServlet': assuming HandlerAdapter completed request handling
DEBUG 17458 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Successfully completed request
我使用Spring Security的4.2.1版
你改变了什么?我会说,它从来没有奏效。认证和授权有区别。你的'HeaderPreAuthProcessingFilter'使认证(这太宽泛了)和Spring进行授权(如你的配置中配置)。 – dur
所以你说的代码是越野车?实际上应用程序已经运行了一年多了,但几个星期前我已经掌握了它。为了改进代码标准,我对代码进行了一些更改。但我对Spring的安全性并不强。因此,问题。 – shyam
没有什么比'HeaderPreAuthProcessingFilter'中的一些重构。 – shyam