我正在尝试传入 Spring Boot 2.7.0-SNAPSHOT,它使用 Spring Security 5.7.0,它不推荐使用WebSecurityConfigurerAdapter.
我阅读了这篇博文,但我不确定如何AuthenticationManager向我的 JWT 授权过滤器公开默认实现。
旧的WebSecurityConfig,使用WebSecurityConfigurerAdapter(工作正常):
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private JWTTokenUtils jwtTokenUtils;
@Bean
protected AuthenticationManager getAuthenticationManager() throws Exception {
return authenticationManager();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// disable CSRF as we do not serve browser clients
.csrf().disable()
// allow access restriction using request matcher
.authorizeRequests()
// authenticate requests to GraphQL endpoint
.antMatchers("/graphql").authenticated() …我有一个Spring网络应用程序,使用Spring Security保护,在EC2上运行.在EC2实例前面是一个带有SSL证书的Elastic Load Balancer(https终止于负载均衡器,即端口443 - >端口80),因此从Tomcat的角度来看,入站请求是HTTP.
我的登录表单提交到https,但后续重定向转到http(成功或失败).身份验证成功,我可以回到https,我已登录.
我的登录配置如下:
<security:form-login
default-target-url="/home"
login-page="/"
login-processing-url="/processlogin"
authentication-failure-url="/?login_error=1"/>
我需要更改什么来使default-target-url和authentication-failure-url转到https?
我有一个Spring MVC应用程序.它使用自己的自定义登录页面.成功登录后,会在HTTPSession中放置一个"LOGGED_IN_USER"对象.
我想只允许经过身份验证的用户访问URL.我知道我可以通过使用网络过滤器实现这一目标.但是,这部分我想使用Spring Security(我的检查将保持不变 - 在HTTPSession中查找'LOGGED_IN_USER'对象,如果存在,您已登录).
我的约束是我目前无法改变登录行为 - 这还不会使用Spring Security.
我可以使用Spring Security的哪个方面单独实现此部分 - 检查请求是否经过身份验证(来自登录用户)?
我正在尝试将数据库名称设置为spring security登录页面中的请求输入参数.目前我只获得使用spring security检索的用户名SecurityContextHolder.getContext().getAuthentication().
如何访问登录页面上设置的附加字段?
我正在使用spring security和java config
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/api/*").hasRole("ADMIN")
.and()
.addFilterAfter(new CsrfTokenResponseHeaderBindingFilter(), CsrfFilter.class)
.exceptionHandling()
.authenticationEntryPoint(restAuthenticationEntryPoint)
.and()
.formLogin()
.successHandler(authenticationSuccessHandler)
.failureHandler(new SimpleUrlAuthenticationFailureHandler());
我正在使用PostMan来测试我的REST服务.我成功获得'csrf token',我可以使用X-CSRF-TOKEN请求标头登录.但登录后我点击发布请求(我在请求标题中包含相同的令牌,我用于登录发布请求)我收到以下错误消息:
HTTP状态403 - 无法验证提供的CSRF令牌,因为找不到您的会话.
任何人都可以指导我做错了什么.
我有以下定义......
<bean id="fsi" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/>
<property name="objectDefinitionSource">
<sec:filter-invocation-definition-source >
<sec:intercept-url pattern="/secure/css/**" access="ROLE_TIER0"/>
<sec:intercept-url pattern="/secure/images/**" access="ROLE_TIER0"/>
<sec:intercept-url pattern="/**" access="ROLE_TIER0"/>
</sec:filter-invocation-definition-source>
</property>
</bean>
我想拥有这个网址的资源......
"/不安全/**"
打开所有呼叫,即没有安全性.
我试过添加......
<sec:intercept-url pattern="/nonsecure/**" access="permitAll" />
但这会导致Websphere抛出错误
Unsupported configuration attributes: [permitAll]
谁能告诉我如何从安全性中排除这个URL?
在我开始之前,我要说的是我找到的最接近的答案就在这里,但说实话,我并不真正理解那里发生了什么.
我正在使用Struts2 + Spring Security 2.06与自定义身份验证提供程序和访问决策管理器来消除对"ROLE_"前缀的需求.
我的applicationContext-security.xml看起来像这样:
<beans:bean id="customAuthenticationProvider"
class="com.test.testconsole.security.CustomAuthenticationProvider">
<beans:property name="userManagementService" ref="userManagementService"/>
<custom-authentication-provider/>
</beans:bean>
<!--Customize Spring Security's access decision manager to remove need for "ROLE_" prefix-->
<beans:bean
id="accessDecisionManager"
class="org.springframework.security.vote.AffirmativeBased">
<beans:property name="decisionVoters">
<beans:list>
<beans:ref bean="roleVoter"/>
<beans:ref bean="authenticatedVoter"/>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean
id="roleVoter"
class="org.springframework.security.vote.RoleVoter">
<beans:property name="rolePrefix" value=""/>
</beans:bean>
<beans:bean
id="authenticatedVoter"
class="org.springframework.security.vote.AuthenticatedVoter">
</beans:bean>
<global-method-security secured-annotations="enabled" access-decision-manager-ref="accessDecisionManager"/>
我的web.xml的相关部分:
<!--Spring Security-->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter>
<filter-name>struts2</filter-name>
<filter-class>
org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter
</filter-class>
</filter>
<!--Has to be placed _Before_ the struts2 filter-mapping-->
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern> …我正在尝试从ApplicationListener<AuthenticationSuccessEvent>成功登录时实现接口的类调用受保护的方法(Spring 3.2.2和Spring Security 3.2.0 M1).这是我之前的问题.
该应用程序在以下环境中运行.
我已将以下与Spring安全性相关的库添加到类路径中.
实现的类ApplicationListener<AuthenticationSuccessEvent>如下.
package loginsuccesshandler;
import admin.dao.service.StateService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationListener;
import org.springframework.security.authentication.event.AuthenticationSuccessEvent;
import org.springframework.stereotype.Service;
@Service
public final class AuthSuccessHandler implements ApplicationListener<AuthenticationSuccessEvent>
{
@Autowired
private StateService stateService;
@Override
public void onApplicationEvent(AuthenticationSuccessEvent event)
{
System.out.println(event.getAuthentication());
System.out.println("rowCount = "+stateService.rowCount());
}
}
This prevents a user from being logged in even with correct credentials with the …
我正在尝试为我的其他应用添加spring-security.我在春季网站上按照教程(https://spring.io/guides/tutorials/spring-security-and-angular-js/)进行操作,但它使用了我不想使用的spring-boot组件,也许问题在这里.
我的安全配置在这里:
@Configuration
@Order(2147483636)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().and().authorizeRequests()
.antMatchers("/rest", "/").permitAll().anyRequest()
.authenticated().and().csrf()
.csrfTokenRepository(csrfTokenRepository()).and()
.addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
}
private Filter csrfHeaderFilter() {
return new OncePerRequestFilter() {
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class
.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
String token = csrf.getToken();
if (cookie == null || token != null
&& !token.equals(cookie.getValue())) { …我们什么时候使用antMatcher()vs antMatchers()?
例如:
http
.antMatcher("/high_level_url_A/**")
.authorizeRequests()
.antMatchers("/high_level_url_A/sub_level_1").hasRole('USER')
.antMatchers("/high_level_url_A/sub_level_2").hasRole('USER2')
.somethingElse()
.anyRequest().authenticated()
.and()
.antMatcher("/high_level_url_B/**")
.authorizeRequests()
.antMatchers("/high_level_url_B/sub_level_1").permitAll()
.antMatchers("/high_level_url_B/sub_level_2").hasRole('USER3')
.somethingElse()
.anyRequest().authenticated()
.and()
...
我期待的是,
/high_level_url_A/**应该经过身份验证+ /high_level_url_A/sub_level_1仅适用于USER且/high_level_url_A/sub_level_2仅适用于USER2/high_level_url_B/**应该被认证+ /high_level_url_B/sub_level_1用于公共访问,并且/high_level_url_A/sub_level_2仅用于USER3.我看到最近的例子不包括antMatcher()这些天.这是为什么?是否antMatcher()不再需要?
spring-security ×10
spring ×7
java ×5
spring-mvc ×3
csrf ×1
https ×1
security ×1
spring-boot ×1
ssl ×1
struts2 ×1
tomcat6 ×1