Spring Security多个url规则集不能一起工作
我有一个HTTP Spring安全配置,当我注释掉每个方面时它似乎工作但是当我将Spring Security规则组合在一起时它不起作用,所以我知道问题不在于regexMatcher或antMatcher而在于规则结合使用。
这是我的Spring Security类:
package com.driver.website.config; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.csrf.CsrfTokenRepository; import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository; import org.springframework.security.web.header.writers.StaticHeadersWriter; import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter; import org.springframework.security.web.util.matcher.RequestMatcher; import javax.servlet.http.HttpServletRequest; import java.security.AccessControlContext; @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class SecurityConfig extends WebSecurityConfigurerAdapter { @Value("${widget.headers.xframeoptions.domains.allowed}") private String allowedXFrameOptions; @Value("${widget.headers.origins.allowed}") private String allowedOrigins; @Override public void configure(HttpSecurity http) throws Exception { // @formatter:off http.exceptionHandling().accessDeniedPage("/login") .and() .formLogin().loginPage("/login").defaultSuccessUrl("/myaccount", true).permitAll() .and() .authorizeRequests() .antMatchers("/**").permitAll(); http.regexMatcher("^((?!(/widget|/assistedSearch)).)*$") .headers().frameOptions().disable() .regexMatcher("^((?!(/widget|/assistedSearch)).)*$") .headers() .xssProtection() .contentTypeOptions() .addHeaderWriter(new StaticHeadersWriter("X-FRAME-OPTIONS", "SAMEORIGIN")); http.antMatcher("/widget") .headers() .frameOptions() .disable() .antMatcher("/widget") .headers() .addHeaderWriter(new StaticHeadersWriter("X-FRAME-OPTIONS", "ALLOW-FROM " + allowedXFrameOptions)); http.requestMatchers().antMatchers("/assistedSearch", "/widget") .and() .headers() .addHeaderWriter(new StaticHeadersWriter("Access-Control-Allow-Origin", allowedOrigins)) .addHeaderWriter(new StaticHeadersWriter("Access-Control-Allow-Methods", "GET, POST")) .addHeaderWriter(new StaticHeadersWriter("Access-Control-Allow-Headers", "Content-Type")); // @formatter:on } }
规则应该……
- 对于所有url而不是/ widget和/ assistedSearch,我们应该添加SAMEORIGIN X-Frame-Options标头
- 对于
/widget端点,我们应该添加X-Frame-Options:ALLOW-FROM标头 - 对于
/widget和/assistedSearch端点,我们应该添加Access-Control-Allow-Origin,Access-Control-Allow-Methods和Access-Control-Allow-Headers头
正如我上面提到的,如果我注释掉For all urls规则集,则其他两个一致地工作,但是For all urls规则未注释,没有任何标题出现。
有没有人有任何想法为什么会这样? 如何在Spring Security中添加多个规则集并使用新规则覆盖现有规则集?
我试过了
http.antMatcher("/widget") .headers() .frameOptions() .disable()
这似乎再次发挥作用,但不是组合。
提前致谢!
您覆盖以前的匹配器,请参阅HttpSecurity.html#antMatcher :
调用
antMatcher(String)将覆盖以前的mvcMatcher(String)},requestMatchers(),antMatcher(String),regexMatcher(String)和requestMatcher(RequestMatcher)regexMatcher(String)。
和HttpSecurity.html#regexMatcher :
调用
regexMatcher(String)将覆盖以前的mvcMatcher(String)},requestMatchers(),antMatcher(String),regexMatcher(String)和requestMatcher(RequestMatcher)regexMatcher(String)。
如果您需要多个HttpSecurity配置,请参阅Spring Security Reference :
我们可以配置多个HttpSecurity实例,就像我们可以有多个
块一样。 关键是多次扩展WebSecurityConfigurationAdapter。 例如,以下是具有以/api/开头的URL的不同配置的示例。@EnableWebSecurity public class MultiHttpSecurityConfig { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) { 1 auth .inMemoryAuthentication() .withUser("user").password("password").roles("USER").and() .withUser("admin").password("password").roles("USER", "ADMIN"); } @Configuration @Order(1) 2 public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { http .antMatcher("/api/**") 3 .authorizeRequests() .anyRequest().hasRole("ADMIN") .and() .httpBasic(); } } @Configuration 4 public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .formLogin(); } } }