java 使用 Spring Security Filter 锁定除少数路由之外的所有内容
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/29522669/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Use Spring Security Filter to lock down everything except a few routes
提问by David Welch
We're reworking our product to remove the default "anonymousUser" behavior in SpringSecurity and would like to lock down all URLs (via filter security) with the exception of just a few endpoints. What we can't figure out is how to specify "lock down everything except X, Y, and Z"
我们正在修改我们的产品以删除 SpringSecurity 中默认的“anonymousUser”行为,并希望锁定所有 URL(通过过滤器安全性),只有几个端点除外。我们想不通的是如何指定“锁定除 X、Y 和 Z 之外的所有内容”
Our security setup essentially boils down to the following:
我们的安全设置基本上归结为以下几点:
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// disable anonymous users
.anonymous().disable()
// don't add ROLE_ to the role...
.authorizeRequests()
.regexMatchers("^/", "^/login", "^/mobile/login", "^/api/auth/.*")
.authenticated()
.and()
;
}
}
Other routes I've taken have been akin to :
我采取的其他路线类似于:
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// disable anonymous users
.anonymous().disable()
// don't add ROLE_ to the role...
.authorizeRequests()
.antMatchers("/**")
.authenticated()
.antMatchers("/", "/login", "/mobile/login", "/api/auth/**", "/reservations/**")
.permitAll()
.and()
;
}
}
Any advice / input would be appreciated.
任何建议/意见将不胜感激。
Thanks!
谢谢!
回答by Rob Winch
We're reworking our product to remove the default "anonymousUser" behavior in SpringSecurity
我们正在重新设计我们的产品以删除 SpringSecurity 中默认的“anonymousUser”行为
I'm wondering what you mean by this. Based on the rest of the description, I don't think you need the following (i.e. you should remove it):
我想知道你这是什么意思。根据其余的描述,我认为您不需要以下内容(即您应该将其删除):
anonymous().disabled()
The above says that the user will be null if no user is authenticated, which tends to lead to NullPointerExceptions
上面说如果没有用户认证,用户就会为null,这往往会导致NullPointerExceptions
Remember that for authorizeRequests() (or for intercept-url), ordering matters. The java configuration you have (reformatted slightly for readability)
请记住,对于 authorizeRequests()(或对于intercept-url),排序很重要。您拥有的 java 配置(为了可读性稍微重新格式化)
.authorizeRequests()
.antMatchers("/**").authenticated()
.antMatchers("/", "/login", "/mobile/login", "/api/auth/**", "/reservations/**").permitAll()
.and()
is going to use the following logic:
将使用以下逻辑:
- Does this request match "/**"?
- Yes, everything matches "/**". So every request requires the user to be authenticated.
- Ignore every other rule because we already matched
- 此请求是否与“/**”匹配?
- 是的,一切都匹配“/**”。因此,每个请求都需要对用户进行身份验证。
- 忽略所有其他规则,因为我们已经匹配
Instead you should use the following:
相反,您应该使用以下内容:
.authorizeRequests()
.antMatchers("/", "/login", "/mobile/login", "/api/auth/**", "/reservations/**").permitAll()
.anyRequest().authenticated()
.and()
- Does the request match "/", or "/login", or ...?
- If yes, then anyone is allowed to access it and STOP (no more rules are used).
- If the request does not match, then continue.
- Does the request match any request?
- Yes, so if the request does not match a previous rule, then it will require the user to be authenticated.
- 请求是否与“/”、“/login”或...匹配?
- 如果是,则任何人都可以访问它并停止(不再使用规则)。
- 如果请求不匹配,则继续。
- 请求是否与任何请求匹配?
- 是的,所以如果请求与之前的规则不匹配,那么它将要求用户进行身份验证。
NOTE: antMatchers("/**") is more concisely represented as anyRequest()
注意:antMatchers("/**") 更简洁地表示为 anyRequest()
回答by danlangford
The answer from Rob Winch will be the correct answer in nearly all cases and is the approach that I take in my projects. I do think that it is also worth noting that another possible approach could be to do the following:
Rob Winch 的答案几乎在所有情况下都是正确的答案,也是我在项目中采用的方法。我确实认为还值得注意的是,另一种可能的方法是执行以下操作:
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/assets/**", "/index.html");
}
PLEASE NOTEthat this is a separate method from the one in the examples you submitted earlier. that method has a parameter of type
HttpSecuritywhile this one is of typeWebSecurity
请注意,这是与您之前提交的示例中的方法不同的方法。该方法有一个类型的参数,
HttpSecurity而这个是类型的WebSecurity
what that code sample will do is find any requests that match and completely skip the http security filters all together. so if you want to optimize some requests that you know will need ZERO of the features that HttpSecurityprovides then this could be a good solution. This means that if you use features like csrf(), requestCache(), headers()they WILL NOT be applied to the matching requests from the example above ("/assets/**", "/index.html")
该代码示例将查找所有匹配的请求并完全跳过 http 安全过滤器。因此,如果您想优化一些您知道需要零功能的请求,HttpSecurity那么这可能是一个很好的解决方案。这意味着,如果使用的功能,例如csrf(),requestCache(),headers()它们将不被从上述(“/资产/ **”,“/index.htm”明明)的例子中施加到匹配请求
回答by Gann14
If you use the security.xml I know you can do something like this
如果你使用 security.xml 我知道你可以做这样的事情
<http use-expressions="true" entry-point-ref="authenticationEntryPoint">
<custom-filter position="BASIC_AUTH_FILTER" ref="loginFilter" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/mobile/login" access="permitAll" />
<intercept-url pattern="/api/auth/**" access="fullyAuthenticated" />
<intercept-url pattern="/**" access="fullyAuthenticated" />
<logout success-handler-ref="logoutHandler" />
</http>
What this does is it allows anyone to access login or mobile/login but only allows people fully authenticated to access api/auth or anything else on the site
它的作用是允许任何人访问登录或移动/登录,但只允许完全通过身份验证的人访问 api/auth 或网站上的任何其他内容
<intercept-url pattern="/api/auth/**" access="fullyAuthenticated" />
This line could be removed and the same functionality would work. It start from top to bottom so anything permitted at the top takes precedence.
可以删除该行,并且可以使用相同的功能。它从上到下开始,因此顶部允许的任何内容都优先。
