我有一个方法,我想允许匿名和经过身份验证的访问.
我正在使用基于java的配置的Spring Security 3.2.4.
重写的配置方法(在我的自定义配置类中扩展WebSecurityConfigurerAdapter)具有以下http块:
http
.addFilterBefore(muiltpartFilter, ChannelProcessingFilter.class)
.addFilterBefore(cf, ChannelProcessingFilter.class)
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.authorizeRequests()
.antMatchers("/ping**")
.permitAll()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/login");
ping请求处理程序和方法位于一个控制器中,该控制器也包含登录处理程序,它没有单独的@PreAuthorize或其他可能导致该问题的注释.
问题是匿名访问被拒绝,用户被重定向到登录页面.
记录调试级别,我看到Spring Security的以下反馈:
[2014-07-11 13:18:04,483] [DEBUG] [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] Secure object: FilterInvocation: URL: /ping; Attributes: [authenticated]
[2014-07-11 13:18:04,483] [DEBUG] [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6faad796: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffffa64e: RemoteIpAddress: 192.168.2.128; SessionId: 0EF6B13BBA5F00C020FF9C35A6E3FBA9; Granted Authorities: ROLE_ANONYMOUS
[2014-07-11 13:18:04,483] [DEBUG] [org.springframework.security.access.vote.AffirmativeBased] Voter: org.springframework.security.web.access.expression.WebExpressionVoter@123f2882, returned: -1
[2014-07-11 13:18:04,483] [DEBUG] [org.springframework.security.web.access.ExceptionTranslationFilter] Access is denied (user is anonymous); …我有以下Spring Security配置:
httpSecurity
.csrf()
.disable()
.exceptionHandling()
.authenticationEntryPoint(unauthorizedHandler)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/api/**").fullyAuthenticated()
.and()
.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
该authenticationTokenFilterBean()甚至在不匹配的终端应用/api/**表现.我还尝试添加以下配置代码
@Override
public void configure(WebSecurity webSecurity) {
webSecurity.ignoring().antMatchers("/some_endpoint");
}
但这仍然没有解决我的问题.如何告诉spring security仅在与安全URI表达式匹配的端点上应用过滤器?谢谢
@SuppressWarnings("SpringJavaAutowiringInspection")
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private JwtAuthenticationEntryPoint unauthorizedHandler;
@Autowired
private UserDetailsService userDetailsService;
@Autowired
public void configureAuthentication(AuthenticationManagerBuilder
authenticationManagerBuilder) throws Exception {
authenticationManagerBuilder.userDetailsService(userDetailsService);
}
@Bean
public JwtAuthenticationTokenFilter authenticationTokenFilterBean() throws Exception {
return new JwtAuthenticationTokenFilter();
}
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.csrf().disable()
.exceptionHandling()
.authenticationEntryPoint(unauthorizedHandler)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/test").permitAll()
.antMatchers("/api/**").permitAll()
.anyRequest().authenticated();
httpSecurity.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
}
}
我有一个在Spring Security之前运行的自定义过滤器.我希望能够/test从过滤器和Spring Security中排除某些URL(例如)以及其他被拦截的URL (如/api/**).
当使用邮递员进行测试时localhost/test,即使我有,仍然会通过过滤器antMatchers("/test").permitAll().
如何绕过过滤器?
我正在尝试使用 JWT 获得 spring 安全性以使用应用程序。我已经阅读了许多教程和示例,但没有一个真正适合我的用例。我们不通过用户名/密码授权,我们使用 twilio 来验证手机号码,然后我想创建一个简单的 JWT 令牌,以手机号码为主题。我已经能够做到这一点
这是 /api/v1/jwt 中存在的一个简单端点
@GetMapping("/jwt")
fun jwt(@RequestParam(value = "number", required = true) number: String): String? {
val jwtToken = Jwts.builder().setSubject(number).claim("roles", "user").setIssuedAt(Date()).signWith(SignatureAlgorithm.HS256, Base64.getEncoder().encodeToString("secret".toByteArray())).compact()
return jwtToken
}
它返回一个有效的 JWT 令牌。
不过,我的安全配置不再起作用,现在所有端点似乎都受到保护,
@Configuration
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {
@Bean
override fun authenticationManagerBean(): AuthenticationManager {
return super.authenticationManagerBean()
}
override fun configure(web: WebSecurity) {
web.ignoring().antMatchers("/v2/api-docs",
"/configuration/ui",
"/swagger-resources/**",
"/configuration/security",
"/swagger-ui.html",
"/webjars/**");
}
override fun configure(http: HttpSecurity) {
http.csrf()
.disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/api/v1/auth/**").permitAll()
.anyRequest().authenticated()
.and()
.addFilterBefore(JwtFilter(), …我对此进行了研究,并在 SO 上找到了这个答案。
不过,我确实有一个补充问题:
我有一组过滤器,我希望将其应用于所有请求,特殊情况除外(例如:除 /mgmt/** 和 /error/** 之外的所有路径)。
这不能使用链接答案中提供的相同方法来完成,因为我会将过滤器添加到默认的 http-security 对象,然后该对象也适用于特殊情况。
是否有“负匹配器”之类的东西,允许我做类似的事情:
http.negativeAntMatchers("/mgmt/**).addFilter(...)
为除 /mgmt/** 之外的所有内容添加过滤器?
我的代码:
这是“/mgmt”的配置,将 ManagementBasicAuthFilter 放置在链中 - 这有效,因为除了“/mgmt/**”之外没有端点要求基本身份验证。
@Order(1)
@Configuration
@RequiredArgsConstructor
public static class ManagementSecurityConfig extends WebSecurityConfigurerAdapter {
private final AuthenticationManager authenticationManager;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("mgmt/**")
.csrf().disable()
.headers().frameOptions().sameOrigin()
.cacheControl().disable()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.addFilterBefore(new ManagementBasicAuthenticationFilter(authenticationManager,
getAuthenticationEntryPoint(), "/mgmt"), BasicAuthenticationFilter.class)
.authorizeRequests()
.anyRequest()
.permitAll();
}
private BasicAuthenticationEntryPoint getAuthenticationEntryPoint() {
BasicAuthenticationEntryPoint entryPoint = new BasicAuthenticationEntryPoint();
entryPoint.setRealmName("myApp");
return entryPoint;
}
}
这是所有入口点的配置,除了 mgmt - …
我有一个在BasicAuthenticationFilter之前调用的自定义过滤器,Bean在SecurityConfig文件中自动装配.
.addFilterBefore(preAuthTenantContextInitializerFilter, BasicAuthenticationFilter.class)
以下是过滤器的外观.
@Component
public class PreAuthTenantContextInitializerFilter extends OncePerRequestFilter {
@Autowired
private TenantService tenantService;
.....
.....
我希望这个过滤器不会像Spring Security过滤器链的其余部分那样触发WebSecurityConfigurerAdapter #configure(WebSecurity web)web.ignoring()中包含的路径.
这是它的样子
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/v2/api-docs", "/configuration/ui", "/swagger-resources",
"/configuration/security", "/swagger-ui.html",
"/webjars/**","/swagger-resources/configuration/ui",
"/swagge??r-ui.html", "/docs/**");
}
}
我已经尝试过了什么.
从过滤器类中删除@Component注释,它只会阻止过滤器在任何情况下调用,因为过滤器不再被选为bean并且永远不会进入过滤器链.
我在找什么
我希望在调用Spring安全链的其余部分时调用此过滤器,并在web.ignoring()中忽略其路径,就像其他Spring Security过滤器一样.谢谢.