1
Исключительно безопасность моего приложения нарушена. Он не соответствует шаблонам в antMatchers.(<patterns>).permitAll() и пытается аутентифицировать все URL-адреса. Код нижеВесенняя безопасность: antMatchers, не соответствующие шаблону URL-адреса
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(preauthAuthProvider());
}
@Bean
public PreAuthenticatedAuthenticationProvider preauthAuthProvider() {
PreAuthenticatedAuthenticationProvider preauthAuthProvider = new PreAuthenticatedAuthenticationProvider();
preauthAuthProvider.setPreAuthenticatedUserDetailsService(userDetailsServiceWrapper());
return preauthAuthProvider;
}
@Bean
public HeaderPreAuthProcessingFilter ssoFilter() throws Exception {
HeaderPreAuthProcessingFilter filter = new HeaderPreAuthProcessingFilter();
filter.setPrincipalRequestHeader("user_id");
CustomUserDetailsService userDetSer = new CustomUserDetailsService();
userDetSer.setUserService(userService);
filter.setExceptionIfHeaderMissing(false);
filter.setCustomUserDetailsService(userDetSer);
filter.setAuthenticationManager(authenticationManager());
return filter;
}
@Bean
public UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> userDetailsServiceWrapper() {
CustomUserDetailsService userDetSer = new CustomUserDetailsService();
userDetSer.setUserService(userService);
UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper = new UserDetailsByNameServiceWrapper<>();
wrapper.setUserDetailsService(userDetSer);
return wrapper;
}
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.addFilterBefore(ssoFilter(), RequestHeaderAuthenticationFilter.class)
.authenticationProvider(preauthAuthProvider());
httpSecurity
.exceptionHandling()
.authenticationEntryPoint(httpAuthenticationEntryPoint)
.and()
.authorizeRequests()
.antMatchers("/resources/**", "/", "/applogin", "/login", "/logout", "/verify**", "/verify/**", "/pub/**")
.permitAll()
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginPage("/signin")
.loginProcessingUrl("/signin")
.failureUrl("/signin?error")
.permitAll()
.successHandler(authSuccessHandler)
.failureHandler(authFailureHandler)
.and()
.logout()
.logoutUrl("/signout").invalidateHttpSession(true).permitAll()
.logoutSuccessHandler(logoutSuccessHandler)
.and()
.csrf().disable();
}
Я пытаюсь получить доступ к {{url}}/applogin. Ниже журнал
DEBUG 17458 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /applogin at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG 17458 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /applogin at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG 17458 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
DEBUG 17458 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
DEBUG 17458 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /applogin at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.se[email protected]49168180
DEBUG 17458 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /applogin at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/signout', GET]
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /applogin' doesn't match 'GET /signout
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/signout', POST]
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/applogin'; against '/signout'
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/signout', PUT]
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /applogin' doesn't match 'PUT /signout
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/signout', DELETE]
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /applogin' doesn't match 'DELETE /signout
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
DEBUG 17458 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /applogin at position 5 of 12 in additional filter chain; firing Filter: 'HeaderPreAuthProcessingFilter'
INFO 17458 --- [nio-8080-exec-1] t.l.c.w.HeaderPreAuthProcessingFilter : Authenticating [POST /applogin]
...
< application logs >
...
DEBUG 17458 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Null ModelAndView returned to DispatcherServlet with name 'dispatcherServlet': assuming HandlerAdapter completed request handling
DEBUG 17458 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Successfully completed request
Я использую версию Spring безопасности 4.2.1
Что вы изменили? Я бы сказал, он никогда не работал. Существует различие между аутентификацией и авторизацией. Ваш 'HeaderPreAuthProcessingFilter' делает аутентификацию (которая слишком широка), а Spring делает авторизацию (как настроено в вашей конфигурации). – dur
Значит, вы говорите, что код глючит? Приложение действительно работает уже более года, но я получил его пару недель назад. Я сделал несколько изменений в коде, пытаясь улучшить стандарты кода. Но я не сильный по весенней безопасности. Отсюда и проблемы. – shyam
Не более, чем некоторые рефакторинги в 'HeaderPreAuthProcessingFilter'. – shyam