在Spring security 2.0.4中,声明如下,过滤器的位置也在各个bean声明中声明。。。。。
旧的Security.xml
<sec:http session-fixation-protection="migrateSession">
<sec:intercept-url pattern="/login.hm*" filters="none" requires-channel="https" />
<sec:intercept-url pattern="/services/**" filters="none" requires-channel="https"/>
<sec:intercept-url pattern="/widget/**" filters="none" requires-channel="https" />
<sec:intercept-url pattern="/istore/theme/**" filters="none" requires-channel="https"/>
<sec:intercept-url pattern="/logout.hm*" filters="none" requires-channel="https" />
<sec:intercept-url pattern="/mstore/theme/**" filters="none" requires-channel="https"/>
<sec:intercept-url pattern="/istore/history*" access="ROLE_UU" requires-channel="https"/>
<sec:intercept-url pattern="/istore/consumer_goods*" access="ROLE_UU" requires-channel="https"/>
<sec:intercept-url pattern="/istore/electronics*" access="ROLE_UU" requires-channel="https"/>
<sec:intercept-url pattern="/istore/accessories*" access="ROLE_UU" requires-channel="https"/>
<sec:intercept-url pattern="/istore/reward_redemption*" access="ROLE_UU" requires-channel="https"/>
<sec:intercept-url pattern="/istore/**" access="ROLE_UU,ROLE_SSS" requires-channel="https"/>
<sec:form-login
login-page="${login.url}"
login-processing-url="${login.processing.url}"
default-target-url="${setuppassword.page.url}"
authentication-failure-url="${login.failure.url}" always-use-default-target="false" />
</sec:http>
Spring Security:如何排除某些资源?
https://www.baeldung.com/security-none-filters-none-access-permitAll
主要问题是过滤器没有被排除在某些URL模式之外,也没有以更精确的方式为其他模式设置。
附言:我们还有HDIV,它也在迁移中。
- 我们如何为特定URL配置过滤器和链顺序,而忽略某些URL
- 基于java的配置比XML更好吗
启动日志
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'characterEncodingFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'hiddenHttpMethodFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'httpPutFormContentFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'requestContextFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'springSecurityFilterChain' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'sitemesh' to urls: [*.hm]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'CustomSecurityHeaderFilter' to urls: []
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'HttpOnlyCookieFilter' to urls: [*.hm]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'ValidatorFilter' to urls: [*.hm]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'org.springframework.security.filterChainProxy' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter:'org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'httpOnlyCookieFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'logoutFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'iStoreFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'loginFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'preLoginFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: '_formLoginFilter' to: [/*]
我之前问过下面的问题,因为它没有集中注意力,所以被删除了,所以要求它自己回答,因为我觉得它可能对其他人也有用。
https://stackoverflow.com/questions/60221667/custom-filters-being-called-by-spring-and-mapped-to-even-after-specifying-se
对于Spring安全迁移到版本3&在上面,您可以简单地扩展WebSecurityConfigurerAdapter,并覆盖使用构建器模式进行基于JAVA的配置的方法,该模式更简单、更精细、更简单,
- 第一个添加带有角色、身份验证提供程序、身份验证处理程序(成功/失败(、注销、注销处理程序、会话管理配置、具有定义位置的过滤器集等的URL模式
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/istore/link.jsp").hasAnyAuthority("UU", "SSS")
.antMatchers("/istore/**/*.jsp").hasAuthority("RESTRICT")
.antMatchers("/mstore/**/*.jsp").hasAuthority("RESTRICT")
.antMatchers("/istore/card*").hasAuthority("UU")
.antMatchers("/istore/history*").hasAuthority("UU")
.antMatchers("/istore/orders*").hasAuthority("UU")
.antMatchers("/istore/consumer_goods*").hasAuthority("UU")
.antMatchers("/istore/electronics*").hasAuthority("UU")
.antMatchers("/istore/reward_redemption*").hasAuthority("UU")
.antMatchers("/istore/accessories*").hasAuthority("UU")
.antMatchers("/istore/privelege_card*").hasAuthority("UU")
.antMatchers("/istore/profile*").hasAuthority("UU")
.antMatchers("/istore/reward_redemption*").hasAuthority("UU")
.antMatchers("/istore/addresses*").hasAuthority("UU")
.antMatchers("/istore/**").hasAuthority("UU")
.and()
.formLogin()
.loginPage("/login.hm")
.failureUrl("/login.hm?err=1")
.loginProcessingUrl("/istore_check.hm")
.and()
.authenticationProvider(authProvider)
.logout()
.and()
.csrf().disable()
.addFilterBefore(iStoreFilter, ChannelProcessingFilter.class)
.addFilterAfter(loginFilter, BasicAuthenticationFilter.class)
.addFilterAt(logoutFilter, org.springframework.security.web.authentication.logout.LogoutFilter.class)
.addFilterAt(authenticationProcessingFilter, UsernamePasswordAuthenticationFilter.class)
.sessionManagement().sessionFixation().migrateSession();
}
- 第二个忽略特定URL模式的spring安全过滤器链中的安全过滤器
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/services/**")
.antMatchers(HttpMethod.GET,"/monitor/health")
.antMatchers(HttpMethod.GET,"/widget/**")
.antMatchers(HttpMethod.GET,"/login.hm*")
.antMatchers(HttpMethod.GET,"/istore/login.jsp")
.antMatchers(HttpMethod.GET,"/istore/logout.jsp")
.antMatchers(HttpMethod.GET,"/registration.hm*")
.antMatchers(HttpMethod.GET,"/tnc.hm*")
.antMatchers(HttpMethod.GET,"/istore/clicktochat/**")
.antMatchers(HttpMethod.GET,"/logout.hm")
.antMatchers(HttpMethod.GET,"/istore/theme/**")
.antMatchers(HttpMethod.GET,"/mstore/theme/**")
.antMatchers(HttpMethod.GET,"/js/**")
.antMatchers(HttpMethod.GET,"/breeze/**")
.antMatchers(HttpMethod.GET,"/resources/**")
.antMatchers(HttpMethod.GET,"/crossdomain.xml")
}
- 第三个是使身份验证管理器bean可用,该bean以前可用为_authenticationManager,但现在它要声明为bean,如下所示,以注入到AbstractAuthenticationProcessingFilter的实现中,该实现以前是AbstractProcessingFilter
@Override
@Bean (name ="authenticationManagerBean")
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
p.S请记住从3&下面有一个基于xml的配置来查看你的web.xml,因为servlet和过滤器注册是一个重要的部分,如果做得不那么精确,你会发现自己在其他地方调试,如果正在使用HDIV,请将其删除并并行迁移,而不是一起迁移