在java config中添加http安全filter
我试图在春季添加网络安全性,但我不希望filter适用于某些事情。 怎么在java中完成?
也许还有一种更好的方法可以做到这一点,因为我创建了一个自定义filter,但这是我认为实例化它的唯一方法,因为它的依赖性。
总的来说,我想要做的是:
/resources/**不应该通过filter, /login (POST)不应该通过filter,其他一切都应该通过filter
通过我在spring发现的各种例子我能够想出一个开始,但它显然不起作用:
@Configuration @EnableWebSecurity @Import(MyAppConfig.class) public class MySecurityConfig extends WebSecurityConfigurerAdapter { @Override public void configure(WebSecurity webSecurity) throws Exception { webSecurity.ignoring().antMatchers("/resources/**"); } @Override public void configure(HttpSecurity httpSecurity) throws Exception { httpSecurity .authorizeRequests() .antMatchers("/resources/**").permitAll() .antMatchers("/login").permitAll(); httpSecurity.httpBasic(); httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); } @Bean @Autowired public TokenFilterSecurityInterceptor tokenInfoTokenFilterSecurityInterceptor(MyTokenUserInfoCache userInfoCache, ServerStatusService serverStatusService, HttpSecurity httpSecurity) throws Exception { TokenService tokenService = new TokenServiceImpl(userInfoCache); TokenFilterSecurityInterceptor tokenFilter = new TokenFilterSecurityInterceptor(tokenService, serverStatusService, "RUN_ROLE"); httpSecurity.addFilter(tokenFilter); return tokenFilter; } }
您是否对所有Spring Security忽略URL感兴趣,或者您是否只希望该特定filter忽略该请求? 如果您希望所有Spring Security都忽略该请求,可以使用以下命令完成:
@Configuration @EnableWebSecurity @Import(MyAppConfig.class) public class MySecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private MyTokenUserInfoCache userInfoCache; @Autowired private ServerStatusService serverStatusService; @Override public void configure(WebSecurity webSecurity) throws Exception { webSecurity .ignoring() // All of Spring Security will ignore the requests .antMatchers("/resources/**") .antMatchers(HttpMethod.POST, "/login"); } @Override public void configure(HttpSecurity http) throws Exception { http .addFilter(tokenInfoTokenFilterSecurityInterceptor()) .authorizeRequests() // this will grant access to GET /login too do you really want that? .antMatchers("/login").permitAll() .and() .httpBasic().and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS); } @Bean public TokenFilterSecurityInterceptor tokenInfoTokenFilterSecurityInterceptor() throws Exception { TokenService tokenService = new TokenServiceImpl(userInfoCache); return new TokenFilterSecurityInterceptor (tokenService, serverStatusService, "RUN_ROLE"); } }
如果您只想让特定的Filter忽略特定请求,您可以执行以下操作:
@Configuration @EnableWebSecurity @Import(MyAppConfig.class) public class MySecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private MyTokenUserInfoCache userInfoCache; @Autowired private ServerStatusService serverStatusService; @Override public void configure(WebSecurity webSecurity) throws Exception { webSecurity .ignoring() // ... whatever is here is ignored by All of Spring Security } @Override public void configure(HttpSecurity http) throws Exception { http .addFilter(tokenInfoTokenFilterSecurityInterceptor()) .authorizeRequests() // this will grant access to GET /login too do you really want that? .antMatchers("/login").permitAll() .and() .httpBasic().and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS); } @Bean public TokenFilterSecurityInterceptor tokenInfoTokenFilterSecurityInterceptor() throws Exception { TokenService tokenService = new TokenServiceImpl(userInfoCache); TokenFilterSecurityInterceptor tokenFilter new TokenFilterSecurityInterceptor (tokenService, serverStatusService, "RUN_ROLE"); RequestMatcher resourcesMatcher = new AntPathRequestMatcher("/resources/**"); RequestMatcher posLoginMatcher = new AntPathRequestMatcher("/login", "POST"); RequestMatcher ignored = new OrRequestMatcher(resourcesMatcher, postLoginMatcher); return new DelegateRequestMatchingFilter(ignored, tokenService); } } public class DelegateRequestMatchingFilter implements Filter { private Filter delegate; private RequestMatcher ignoredRequests; public DelegateRequestMatchingFilter(RequestMatcher matcher, Filter delegate) { this.ignoredRequests = matcher; this.delegate = delegate; } public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) { HttpServletRequest request = (HttpServletRequest) req; if(ignoredRequests.matches(request)) { chain.doFilter(req,resp,chain); } else { delegate.doFilter(req,resp,chain); } } }
1在我使用的spring-security的xml配置中
从安全检查中检索它。
2之后在spring配置中添加mvc:resource标签
重要提示:只有在调度程序servlet处理url时,此配置才有效。 这意味着在web.xml中你必须拥有
dispatcher /