相关疑难解决方法(0)

如何在JavaConfig中定义http"security ='none'?

我想使用Java Config在Spring Boot中定义类似于此XML的内容.

<http pattern="/webservices/**" security="none"/>

我需要一种不同的方法来保护它们,不能进行表单登录.保护他们将在以后到来.现在,我想停止使用http.formLogin()来保护它们.

我已经覆盖了WebSecurityConfigurerAdapter.configure().我找不到要说的API,像这样:

http.securityNone().antMatchers("/webservices")

这是我的configure()方法:

@Override
protected void configure(HttpSecurity http) throws Exception
    http.csrf().disable(); 
    http.headers().frameOptions().disable();

    http.authorizeRequests()
          .antMatchers("/resources/**", 
//"/services/**",  THIS LOGS IN AUTOMATICALLY AS 'ANONYMOUS'.  NO GOOD!
//"/remoting/**",  THIS LOGS IN AUTOMATICALLY AS 'ANONYMOUS'.  NO GOOD!
                      "/pages/login",
                      "/pages/loginFailed").permitAll()

    // Only authenticated can access these URLs and HTTP METHODs
    .antMatchers("/secured/**").authenticated()
    .antMatchers(HttpMethod.HEAD,"/**").authenticated()
    .antMatchers(HttpMethod.GET,"/**").authenticated()
    .antMatchers(HttpMethod.POST,"/**").authenticated()
    .antMatchers(HttpMethod.PUT,"/**").authenticated()
    .antMatchers(HttpMethod.DELETE,"/**").authenticated();

    // Accept FORM-based authentication
    http.formLogin()
        .failureUrl("/pages/loginFailed")
        .defaultSuccessUrl("/")
        .loginPage("/pages/login")
        .permitAll()
        .and()
        .logout()
        .logoutRequestMatcher(new AntPathRequestMatcher("/pages/logout"))
        .logoutSuccessUrl("/pages/login")
        .permitAll();

    http.formLogin().successHandler(new AppLoginSuccessHandler());

}
Run Code Online (Sandbox Code Playgroud)

spring spring-security spring-boot spring-java-config

7
推荐指数
1
解决办法
5017
查看次数

对jhipster的Cookie盗窃攻击

我在jhipster上有一个问题:1.10.2项目.

当客户端会话到期时,我在刷新一些页面时遇到了cookie盗窃攻击.我在这里找到了原因.当我刷新页面时,第一个请求刷新remember-me令牌,使旧令牌无效,并将结果发送到会话中存储.但与此同时,另一个请求已经消失了旧的cookie记住我的令牌.

我该如何解决这个问题?

谢谢

jhipster

5
推荐指数
0
解决办法
266
查看次数