在java配置中添加http安全过滤器
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/19917671/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Add http security filter in java config
提问by jensengar
I'm trying to add web security in spring but I don't want the filter to apply to certain things. How is that done in java?
我正在尝试在 spring 中添加网络安全,但我不希望过滤器应用于某些事情。在java中是如何完成的?
And maybe there's a better way to do this because I created a custom filter but this is the only way I can think to instantiate it because of its dependencies.
也许有更好的方法来做到这一点,因为我创建了一个自定义过滤器,但由于它的依赖关系,这是我能想到的实例化它的唯一方法。
Overall, what I want to do is this:
总的来说,我想做的是:
/resources/**SHOULD NOT go through the filter,
/login(POST) SHOULD NOT go through the filter,
everything else SHOULD go through the filter
/resources/**不应该通过过滤器,
/login(POST)不应该通过过滤器,其他一切都应该通过过滤器
Through various example I found through spring I was able to come up with this as for a start but it obviously doesn't work:
通过各种例子,我在春天发现我能够想出这个作为开始,但它显然不起作用:
@Configuration
@EnableWebSecurity
@Import(MyAppConfig.class)
public class MySecurityConfig extends WebSecurityConfigurerAdapter
{
@Override
public void configure(WebSecurity webSecurity) throws Exception
{
webSecurity.ignoring().antMatchers("/resources/**");
}
@Override
public void configure(HttpSecurity httpSecurity) throws Exception
{
httpSecurity
.authorizeRequests()
.antMatchers("/resources/**").permitAll()
.antMatchers("/login").permitAll();
httpSecurity.httpBasic();
httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Bean
@Autowired
public TokenFilterSecurityInterceptor<TokenInfo> tokenInfoTokenFilterSecurityInterceptor(MyTokenUserInfoCache userInfoCache, ServerStatusService serverStatusService, HttpSecurity httpSecurity) throws Exception
{
TokenService<TokenInfo> tokenService = new TokenServiceImpl(userInfoCache);
TokenFilterSecurityInterceptor<TokenInfo> tokenFilter = new TokenFilterSecurityInterceptor<TokenInfo>(tokenService, serverStatusService, "RUN_ROLE");
httpSecurity.addFilter(tokenFilter);
return tokenFilter;
}
}
回答by mvb13
1 In xml configuration of spring-security I use
1 在我使用的 spring-security 的 xml 配置中
<http pattern="/resources/**" security="none"/>
<http use-expressions="true">
<intercept-url pattern="/login" access="permitAll"/>
</http>
to retrieve it from security check.
从安全检查中检索它。
2 After that add mvc:resourcetag in your spring configuration
2 然后mvc:resource在你的弹簧配置中添加标签
<mvc:resources mapping="/resource/**" location="/resource/"/>
Important: this config will only work if url is handled by dispatcher servlet. This means that in web.xml you must have
重要提示:此配置仅在 url 由调度程序 servlet 处理时才有效。这意味着在 web.xml 你必须有
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
回答by Rob Winch
Are you interested in all of Spring Security ignoring the URLs or do you only want that specific filter to ignore the request? If you want all of Spring Security to ignore the request it can be done using the following:
您是否对忽略 URL 的所有 Spring Security 感兴趣,还是只希望该特定过滤器忽略请求?如果您希望所有 Spring Security 忽略请求,可以使用以下方法完成:
@Configuration
@EnableWebSecurity
@Import(MyAppConfig.class)
public class MySecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private MyTokenUserInfoCache userInfoCache;
@Autowired
private ServerStatusService serverStatusService;
@Override
public void configure(WebSecurity webSecurity) throws Exception
{
webSecurity
.ignoring()
// All of Spring Security will ignore the requests
.antMatchers("/resources/**")
.antMatchers(HttpMethod.POST, "/login");
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.addFilter(tokenInfoTokenFilterSecurityInterceptor())
.authorizeRequests()
// this will grant access to GET /login too do you really want that?
.antMatchers("/login").permitAll()
.and()
.httpBasic().and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Bean
public TokenFilterSecurityInterceptor<TokenInfo> tokenInfoTokenFilterSecurityInterceptor() throws Exception
{
TokenService<TokenInfo> tokenService = new TokenServiceImpl(userInfoCache);
return new TokenFilterSecurityInterceptor<TokenInfo>(tokenService, serverStatusService, "RUN_ROLE");
}
}
If you want to have only that specific Filter ignore particular requests you can do something like this:
如果您只想让特定过滤器忽略特定请求,您可以执行以下操作:
@Configuration
@EnableWebSecurity
@Import(MyAppConfig.class)
public class MySecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private MyTokenUserInfoCache userInfoCache;
@Autowired
private ServerStatusService serverStatusService;
@Override
public void configure(WebSecurity webSecurity) throws Exception
{
webSecurity
.ignoring()
// ... whatever is here is ignored by All of Spring Security
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.addFilter(tokenInfoTokenFilterSecurityInterceptor())
.authorizeRequests()
// this will grant access to GET /login too do you really want that?
.antMatchers("/login").permitAll()
.and()
.httpBasic().and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Bean
public TokenFilterSecurityInterceptor<TokenInfo> tokenInfoTokenFilterSecurityInterceptor() throws Exception
{
TokenService<TokenInfo> tokenService = new TokenServiceImpl(userInfoCache);
TokenFilterSecurityInterceptor tokenFilter new TokenFilterSecurityInterceptor<TokenInfo>(tokenService, serverStatusService, "RUN_ROLE");
RequestMatcher resourcesMatcher = new AntPathRequestMatcher("/resources/**");
RequestMatcher posLoginMatcher = new AntPathRequestMatcher("/login", "POST");
RequestMatcher ignored = new OrRequestMatcher(resourcesMatcher, postLoginMatcher);
return new DelegateRequestMatchingFilter(ignored, tokenService);
}
}
public class DelegateRequestMatchingFilter implements Filter {
private Filter delegate;
private RequestMatcher ignoredRequests;
public DelegateRequestMatchingFilter(RequestMatcher matcher, Filter delegate) {
this.ignoredRequests = matcher;
this.delegate = delegate;
}
public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) {
HttpServletRequest request = (HttpServletRequest) req;
if(ignoredRequests.matches(request)) {
chain.doFilter(req,resp,chain);
} else {
delegate.doFilter(req,resp,chain);
}
}
}
![Java 没有可用于处理 [appName:,modulename:HelloWorldSessionBean,distinctname:] 的 EJB 接收器](/res/img/loading.gif)