spring security ignore url不能与we security ignore方法一起使用

zxlwwiss  于 2021-06-29  发布在  Java
关注(0)|答案(3)|浏览(407)

这个问题在这里已经有了答案

注册为Springbean时过滤调用两次(1个应答)
15天前关门了。
我们面临一个springsecurity忽略方法的问题。我们尝试跳过一些URL(acutator/health)和资源的身份验证。身份验证在外部进行,我们有一个自定义过滤器来提取授权原则。
我们覆盖配置的方法,如下所示:

public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/resources/**", "/actuator/health");
}
protected void configure(HttpSecurity http) throws Exception {
         http.addFilter(cutstomFilter).authorizeRequests()
        .antMatchers("/add","/update","/upload").hasAuthority("ADMIN").anyRequest().authenticated()
        .and().logout().logoutSuccessUrl("/logoutUser").and()
        .exceptionHandling().accessDeniedPage("/accessDenied").and().csrf().disable();
    }

在给定的实现中,我们的customfilter被调用以获取资源和健康url。由于原理更改,这将导致重新验证。
我们尝试添加这段代码,但是customfilter也会被调用。

http.authorizeRequests().antMatchers("/actuator/health").permitAll()

注意:检查了@rob winch答案,但不明白为什么我们需要一个自定义文件管理器,如果我们把这些网址在忽略列表。https://stackoverflow.com/a/19985323/2138633

1l5u6lss

1l5u6lss1#

更新:请参阅@dur的评论,它可能会解决问题,而不会有重大改变。

To make it clear, your first security configuration is correct. Your problem 
is that your filter is used as a servlet filter not only as a security chain 
filter. Spring Boot does this autmatically, if you expose your filter.

https://stackoverflow.com/a/39314867/14072498
op提到了致动器端点。我们来看看医生:https://spring.io/guides/topicals/spring-security-architecture
医生说:

If you want your application security rules to apply to the actuator 
endpoints, you can add a filter chain that is ordered earlier than the 
actuator one and that has a request matcher that includes all actuator 
endpoints.

doc建议将config分为 WebSecurityConfigurerAdapter .
在下面的配置示例中,您应该对 MainAppConfigurerAdapter .
“多Spring引导安全配置”示例:https://medium.com/@igor.bonny/multiple-spring-boot-security-configuration-c876f1b6061eSpring
要跳过其他端点的身份验证,请添加

.and()
.authorizeRequests().anyRequest().permitAll();

到应用程序链的末端,如下所示。
要验证安全设置,请为所有端点添加集成测试。

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration {

  @Configuration
  @Order(ManagementServerProperties.BASIC_AUTH_ORDER - 1)
  public class ActuatorConfigurerAdapter extends WebSecurityConfigurerAdapter {
    @Override
      protected void configure(HttpSecurity http) {
          http.antMatcher("/actuator/**")
          ...
      }
  }

  @Configuration
  @Order(SecurityProperties.DEFAULT_FILTER_ORDER)
  public class MainAppConfigurerAdapter extends WebSecurityConfigurerAdapter {
      @Override
      protected void configure(HttpSecurity http) {
          http.antMatcher("/api/**")
          ...
      }
  }
}
bwitn5fc

bwitn5fc2#

一种方法是在安全配置和从身份验证中提取主体的自定义过滤器中使用模式。您可以按以下步骤进行:
声明忽略模式:

static final String[] IGNORE_PATTERNS = new String[] { "**/*.js", "**/*.css", "/resources/**"};

声明允许所有模式:

static final String[] PERMIT_ALL_PATTERNS = new String[] { "/login", "/logout", "/health"};

在中使用忽略的模式 WebSecurity :

web.ignoring().antMatchers(IGNORE_PATTERNS);

使用允许的所有模式 HttpSecurity :

http.authorizeRequests().antMatchers(PERMIT_ALL_PATTERNS).permitAll().anyRequest().authenticated().and() ...

宣布 RequestMatcher 在过滤器中:

List<RequestMatcher> matchers = new ArrayList<>();
 for (String pattern : IGNORE_PATTERNS) {
     matchers.add(new AntPathRequestMatcher(pattern));
 }
 for (String pattern : PERMIT_ALL_PATTERNS) {
     matchers.add(new AntPathRequestMatcher(pattern));
 }

 RequestMatcher ignoreRequestMatcher = new OrRequestMatcher(matchers);

在中使用请求匹配器 doFilter 过滤方法:

if (ignoreRequestMatcher.matches((HttpServletRequest) request)) {
 /* skip this filter */
 chain.doFilter(request, response);
 return;  } /* rest of the filter code below */
hk8txs48

hk8txs483#

跟随https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-准备好端点安全,您应该:
添加到属性文件
management.endpoints.web.exposure.include包括=*
更新您的安全配置

@Configuration(proxyBeanMethods = false)
  public class ActuatorSecurity extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
      http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) ->
          requests.anyRequest().permitAll());
      }
  }

相关问题