那些遇到过的问题

从 WebSecurityConfigurerAdapter 迁移到 SecurityFilterChain

Tri*_*tan 2 spring spring-security

这是迁移前我的工作安全配置:


    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring()
                .antMatchers("/auth/**")
                .antMatchers("/swagger-ui/**")
                .antMatchers("/swagger-ui.html")
                .antMatchers("/swagger-resources/**")
                .antMatchers("/v2/api-docs/**")
                .antMatchers("/v3/api-docs/**");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
        jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(grantedPortalRoleConverter);

        http
                .csrf().disable()
                .cors()
                .and()
                .exceptionHandling()
                .authenticationEntryPoint(new AuthenticationFallbackEntryPoint())
                .and()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authorizeRequests(authorize -> authorize.anyRequest().authenticated())
                .oauth2ResourceServer()
                .jwt().jwtAuthenticationConverter(jwtAuthenticationConverter);
    }
Run Code Online (Sandbox Code Playgroud)

这是迁移后我的安全链配置:

    @Bean
    @Order(1)
    public SecurityFilterChain ignorePathsSecurityFilterChain(HttpSecurity http) throws Exception {
        http
                .authorizeHttpRequests(authorize -> authorize
                        .antMatchers(
                                "/auth/**",
                                "/swagger-ui/**",
                                "/swagger-ui.html",
                                "/swagger-resources/**",
                                "/v3/api-docs/**")
                            .permitAll());

        return http.build();
    }

    @Bean
    @Order(2)   
    public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http, GrantedPortalRoleConverter grantedPortalRoleConverter) throws Exception {
        JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
        jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(grantedPortalRoleConverter);

        http
                .csrf().disable()
                .cors(Customizer.withDefaults())
                .exceptionHandling(configurer -> configurer.authenticationEntryPoint(new AuthenticationFallbackEntryPoint()))
                .sessionManagement(configurer -> configurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .authorizeHttpRequests(authorize -> authorize.anyRequest().authenticated())
                .oauth2ResourceServer(configurer -> configurer.jwt().jwtAuthenticationConverter(jwtAuthenticationConverter));

        return http.build();
    }
Run Code Online (Sandbox Code Playgroud)

使用原始conf,当我调用随机的不存在路径时:

    @Test
    void should_not_authenticate_or_return_not_found() throws Exception {
        logger.info("should_not_authenticate_or_return_not_found");
        
        mvc.perform(get("/toto/tata"))
                .andExpect(status().isUnauthorized());      
    }
Run Code Online (Sandbox Code Playgroud)

我得到:

15:44:00.230 [main] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Failed to authorize filter invocation [GET /toto/tata] with attributes [authenticated]
Run Code Online (Sandbox Code Playgroud)

使用新的conf,我刚刚收到HTTP 404,请问我在这里缺少什么?我看不出任何差异,调试日志也没有显示太多。

这是使用非工作conf丢失的第一行日志:

16:24:58.651 [main] DEBUG o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource - Adding web access control expression [authenticated] for any request
Run Code Online (Sandbox Code Playgroud)

但在两个日志中,我都可以看到(新conf中有两行,因为有两个安全链):

o.s.s.web.DefaultSecurityFilterChain - Will secure any request with (...)
Run Code Online (Sandbox Code Playgroud)

Ele*_*ana 5

解释

当你有多个SecurityFilterChain时,你必须指定一个请求匹配器,否则所有请求都将由第一个(SecurityFilterChain用 注释)处理@Order(1),而永远不会到达第二个SecurityFilterChain(用 注释)@Order(2)

在您上面共享的代码中,这意味着.requestMatchers()在以下位置进行配置ignorePathsSecurityFilterChain

@Bean
@Order(1)
public SecurityFilterChain ignorePathsSecurityFilterChain(HttpSecurity http) throws Exception {
    http
        .requestMatchers(requests -> requests // add this block
            .antMatchers(
                "/auth/**",
                "/swagger-ui/**",
                "/swagger-ui.html",
                "/swagger-resources/**",
                "/v3/api-docs/**")
        )
        .authorizeHttpRequests(authorize -> authorize
            .antMatchers(
                "/auth/**",
                "/swagger-ui/**",
                "/swagger-ui.html",
                "/swagger-resources/**",
                "/v3/api-docs/**")
            .permitAll());

    return http.build();
}
Run Code Online (Sandbox Code Playgroud)

这意味着只有匹配的请求/auth/**/swagger-ui/**将由 处理ignorePathsSecurityFilterChain,而其余请求将移至defaultSecurityFilterChain

requestMatchers要了解和之间的区别,authorizeHttpRequests您可以查看这个 StackOverflow 问题

解决方案

更好的选择是将SecurityFilterChains 合并为一个。在这种情况下,我看不出您有任何理由将它们分开。

最终的配置将是:

@Bean
public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http, GrantedPortalRoleConverter grantedPortalRoleConverter) throws Exception {
    JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
    jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(grantedPortalRoleConverter);

    http
            .authorizeHttpRequests(authorize -> authorize
                    .antMatchers(
                            "/auth/**",
                            "/swagger-ui/**",
                            "/swagger-ui.html",
                            "/swagger-resources/**",
                            "/v3/api-docs/**")
                    .permitAll()
                    .anyRequest().authenticated()
            )
            .csrf().disable()
            .cors(Customizer.withDefaults())
            .exceptionHandling(configurer -> configurer.authenticationEntryPoint(new AuthenticationFallbackEntryPoint()))
            .sessionManagement(configurer -> configurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
            .oauth2ResourceServer(configurer -> configurer.jwt().jwtAuthenticationConverter(jwtAuthenticationConverter));

    return http.build();
}
Run Code Online (Sandbox Code Playgroud)

选择

或者,您可以使用 aWebSecurityCustomizer来忽略某些端点:

@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
    return (web) -> web.ignoring().antMatchers(
                "/auth/**",
                "/swagger-ui/**",
                "/swagger-ui.html",
                "/swagger-resources/**",
                "/v3/api-docs/**");
}
Run Code Online (Sandbox Code Playgroud)

然后你将使用defaultSecurityFilterChain作为你唯一的SecurityFilterChain.

归档时间:

查看次数:

1634 次

最近记录:

3 年,5 月 前
了解 spring-security 上的 requestMatchers() 8
更多相关链接
相关归档
如何在Spring配置文件中为bean的属性分配一个Enum值? 105
Spring:从命令行覆盖一个application.property 44
如何按顺序制作junit测试运行方法 11
Spring中使用@Valid的验证表单不起作用 10
Spring:@SessionAttributes vs HttpSession 10
Request Param 的可选参数是一种不好的做法吗? 10
Spring Rest Controller继承 9
在Spring Boot应用程序中使用API​​网关时,HATEOAS路径无效 8
你能强制一个java对象在运行时实现一个接口吗? 7
如何使用List <String>填充<form:select>? 7
难疑归档
什么是Python中的元类? 5409
如何检查字符串是否包含特定单词? 2663
**(双星/星号)和*(星号/星号)对参数有什么作用? 2149
PostgreSQL"DESCRIBE TABLE" 1790
如何检查iOS或macOS上的活动Internet连接? 1309
Promises和Observables有什么区别? 1291
纯JavaScript相当于jQuery的$ .ready() - 如何在页面/ DOM准备就绪时调用函数 1244
如何获取Android应用程序的构建版本号? 1198
如何重置MySQL中的AUTO_INCREMENT? 1174
获取Oracle中所有表的列表? 1073