我在GWT应用程序中使用Spring Security 3.2.5。我需要精细控制对安全所以就用下面的配置,而不是元素组成:当使用<filter-chain>标签时相当于(requires-channel =“https”)
<beans:bean id="springSecurityFilterChain"
class="org.springframework.security.web.FilterChainProxy">
<beans:constructor-arg>
<beans:list>
<filter-chain pattern="/css/**" filters="none" />
<filter-chain pattern="/image/**" filters="none" />
<filter-chain pattern="/index.jsp" filters="none" />
<filter-chain pattern="/**/logout" filters="logoutFilter" />
<filter-chain pattern="/**"
filters="securityContextPersistenceFilterWithASCTrue, concurrentSessionFilter, usernamePasswordAuthenticationFilter, exceptionTranslationFilter, filterSecurityInterceptor" />
</beans:list>
</beans:constructor-arg>
</beans:bean>
我省略特定的过滤器的实施方式。
我需要最给力的过滤器链的上面使用标签时,在下面的示例中使用https,如:
<security:intercept-url pattern="/reports" access="ROLE_ADMIN" requires-channel="https"/>
我怎样才能做到这一点?
EDIT 1:添加ChannelProcessingFilter
继@luke答案我修改代码,以便信道滤波器是在过滤器链的第一位置:
<filter-chain pattern="/**"
filters="channelProcessingFilter, securityContextPersistenceFilterWithASCTrue, ..." />
我还添加以下豆配置:
<!-- Ensure https channel -->
<beans:bean id="filterSecurityInterceptor"
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="securityMetadataSource">
<filter-security-metadata-source>
<intercept-url pattern="/**" access="ROLE_USER" />
</filter-security-metadata-source>
</beans:property>
</beans:bean>
<beans:bean id="channelProcessingFilter" class="org.springframework.security.web.access.channel.ChannelProcessingFilter">
<beans:property name="channelDecisionManager" ref="channelDecisionManager"/>
<beans:property name="securityMetadataSource">
<filter-security-metadata-source request-matcher="ant">
<intercept-url pattern="/**" access="REQUIRES_SECURE_CHANNEL"/>
</filter-security-metadata-source>
</beans:property>
</beans:bean>
<beans:bean id="channelDecisionManager" class="org.springframework.security.web.access.channel.ChannelDecisionManagerImpl">
<beans:property name="channelProcessors">
<beans:list>
<beans:ref bean="secureChannelProcessor"/>
<beans:ref bean="insecureChannelProcessor"/>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id="secureChannelProcessor" class="org.springframework.security.web.access.channel.SecureChannelProcessor" />
<beans:bean id="insecureChannelProcessor" class="org.springframework.security.web.access.channel.InsecureChannelProcessor" />
现在的问题是,我收到我的LO后无限循环杜松子酒的形式通过HTTP。当然这是我想避免的情况,但是一个无限循环是不正确的。这是相关日志:
DEBUG o.s.s.w.FilterChainProxy 337 -/j_spring_security_check在 位置的额外的过滤器链6 1;发射器: 'ChannelProcessingFilter'
DEBUG o.s.s.w.a.c.ChannelProcessingFilter 134 - 请求:FilterInvocation:网址:/ j_spring_security_check; ConfigAttributes:[REQUIRES_SECURE_CHANNEL] 2014-10-30 19:47:10565
DEBUG osswacRetryWithHttpsEntryPoint 55 - 重定向到: /j_spring_security_check 2014-10-30 19:47:10567 DEBUG osswDefaultRedirectStrategy 36 - 重定向到 '/j_spring_security_check'
有什么想法吗?
Hi @luke。我在'RetryWithHttpsEntryPoint 55 - 重定向到:/ j_spring_security_check'中得到一个无限循环。请看看我上面的编辑 – Taka 2014-10-30 18:40:07
你有HTTPS设置正确吗?即,您是否可以通过HTTPS访问应用程序并在没有额外过滤器的情况下登录? – 2014-10-30 21:14:47
是的,我删除了_channelProcessingFilter_,我可以使用https登录。我也测试过把_channelProcessingFilter_放回去,我可以通过纯http访问。这一切是否正常?顺便说一句,服务器是Jetty嵌入GWT Eclipse插件 – Taka 2014-10-31 08:16:16