1
青色から、私のアプリケーションのセキュリティが壊れています。 antMatchers.(<patterns>).permitAll()のパターンと一致せず、すべてのURLを認証しようとしています。コード春のセキュリティ:antMatchersはURLパターンに一致しません。
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(preauthAuthProvider());
}
@Bean
public PreAuthenticatedAuthenticationProvider preauthAuthProvider() {
PreAuthenticatedAuthenticationProvider preauthAuthProvider = new PreAuthenticatedAuthenticationProvider();
preauthAuthProvider.setPreAuthenticatedUserDetailsService(userDetailsServiceWrapper());
return preauthAuthProvider;
}
@Bean
public HeaderPreAuthProcessingFilter ssoFilter() throws Exception {
HeaderPreAuthProcessingFilter filter = new HeaderPreAuthProcessingFilter();
filter.setPrincipalRequestHeader("user_id");
CustomUserDetailsService userDetSer = new CustomUserDetailsService();
userDetSer.setUserService(userService);
filter.setExceptionIfHeaderMissing(false);
filter.setCustomUserDetailsService(userDetSer);
filter.setAuthenticationManager(authenticationManager());
return filter;
}
@Bean
public UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> userDetailsServiceWrapper() {
CustomUserDetailsService userDetSer = new CustomUserDetailsService();
userDetSer.setUserService(userService);
UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper = new UserDetailsByNameServiceWrapper<>();
wrapper.setUserDetailsService(userDetSer);
return wrapper;
}
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.addFilterBefore(ssoFilter(), RequestHeaderAuthenticationFilter.class)
.authenticationProvider(preauthAuthProvider());
httpSecurity
.exceptionHandling()
.authenticationEntryPoint(httpAuthenticationEntryPoint)
.and()
.authorizeRequests()
.antMatchers("/resources/**", "/", "/applogin", "/login", "/logout", "/verify**", "/verify/**", "/pub/**")
.permitAll()
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginPage("/signin")
.loginProcessingUrl("/signin")
.failureUrl("/signin?error")
.permitAll()
.successHandler(authSuccessHandler)
.failureHandler(authFailureHandler)
.and()
.logout()
.logoutUrl("/signout").invalidateHttpSession(true).permitAll()
.logoutSuccessHandler(logoutSuccessHandler)
.and()
.csrf().disable();
}
私は{{url}}/apploginにアクセスしようとしています。以下は、ログ
DEBUG 17458 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /applogin at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG 17458 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /applogin at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG 17458 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
DEBUG 17458 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
DEBUG 17458 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /applogin at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.se[email protected]49168180
DEBUG 17458 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /applogin at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/signout', GET]
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /applogin' doesn't match 'GET /signout
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/signout', POST]
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/applogin'; against '/signout'
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/signout', PUT]
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /applogin' doesn't match 'PUT /signout
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/signout', DELETE]
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /applogin' doesn't match 'DELETE /signout
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
DEBUG 17458 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /applogin at position 5 of 12 in additional filter chain; firing Filter: 'HeaderPreAuthProcessingFilter'
INFO 17458 --- [nio-8080-exec-1] t.l.c.w.HeaderPreAuthProcessingFilter : Authenticating [POST /applogin]
...
< application logs >
...
DEBUG 17458 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Null ModelAndView returned to DispatcherServlet with name 'dispatcherServlet': assuming HandlerAdapter completed request handling
DEBUG 17458 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Successfully completed request
は、私はフィルタの順序が間違っていると思う私は春のセキュリティバージョン4.2.1
何を変更しましたか?私は、それは働かなかったと言うでしょう。認証と認可には違いがあります。あなたの 'HeaderPreAuthProcessingFilter'は認証を行い(広すぎる)、Springはあなたの設定で設定された認証を行います。 – dur
コードがバグだと言っていますか?アプリケーションは実際に1年以上実行されていますが、数週間前に手に入れました。私は、コード標準を改善するために、コードを少し変更しました。しかし、私は春のセキュリティでは強くない。したがって、問題。 – shyam
'HeaderPreAuthProcessingFilter'にはリファクタリング以上のものはありません。 – shyam