Spring Security 在安全注释配置中排除 url 模式 [英] Spring Security exclude url patterns in security annotation configurartion
本文介绍了Spring Security 在安全注释配置中排除 url 模式的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我有使用 java 配置方法配置 Spring 安全性的 Spring Web 应用程序.我想从身份验证中排除一些 URL 模式(例如:静态资源等).我之前使用 spring security xml 配置完成了此操作,但无法使用 java 配置弄清楚,因为添加 antmatchers 无济于事.
以下是我在扩展 WebSecurityConfigurerAdapter 的安全配置类中添加的代码
@Override公共无效配置(HttpSecurity http)抛出异常{http.authorizeRequests().antMatchers("/authFailure").permitAll().anyRequest().认证().和().httpBasic().和().authenticationProvider(_provider).sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).和().addFilter(authFilter()).addFilterAfter(executionContextFilter(),TokenBasedSecurityFilter.class).csrf().disable();}我使用的 spring 安全版本是 3.2.0.预先感谢您的帮助
我在点击排除的 URL 时得到的堆栈跟踪,
org.springframework.security.authentication.AuthenticationServiceException: Authorization Header 在请求中不可用在 com.inventory.ricemill.tba.spring.TokenBasedSecurityFilter.doFilter(TokenBasedSecurityFilter.java:59)在 org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)在 org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)在 org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)在 org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:57)在 org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)在 org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)在 org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)在 org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)在 org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)在 org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)在 org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)在 org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)在 org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)在 org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)在 org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)在 org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)在 org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)在 org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)在 org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)在 org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)在 org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)在 org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)在 org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)在 org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)在 org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)在 org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)在 org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)在 org.apache.tomcat.util.net.JioEndpoint$SocketProcessor.run(JioEndpoint.java:310)在 java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)在 java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)在 java.lang.Thread.run(Thread.java:744)2014 年 4 月 1 日下午 10:18:41 org.apache.catalina.core.StandardWrapperValve 调用严重:Servlet [Inventory] 的 Servlet.service() 在路径为 [/ricemill] 的上下文中抛出异常 [请求处理失败;嵌套异常是 org.springframework.security.authentication.AuthenticationServiceException: Authorization Header is not available in the request] 具有根本原因org.springframework.security.authentication.AuthenticationServiceException:请求中没有授权头在 com.inventory.ricemill.tba.spring.TokenBasedSecurityFilter.doFilter(TokenBasedSecurityFilter.java:59)在 org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)在 org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)在 org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)在 org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:57)在 org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)在 org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)在 org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)在 org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)在 org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)在 org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)在 org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)在 org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)在 org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)在 org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)在 org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)在 org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)在 org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)在 org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)在 org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)在 org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)在 org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)在 org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)在 org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)在 org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)在 org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)在 org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)在 org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)在 org.apache.tomcat.util.net.JioEndpoint$SocketProcessor.run(JioEndpoint.java:310)在 java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)在 java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)在 java.lang.Thread.run(Thread.java:744)请求通过在 spring 安全过滤器链中注册的过滤器,而它不应该,因为请求被 antmatcher 忽略
解决方案
在 Github 发布的 Spring 安全示例中找到了解决方案.
@Override公共无效配置(WebSecurity web)抛出异常{web.ignoring().antMatchers("/authFailure");}见 Spring 安全示例 了解更多详情
I have spring web application with Spring security configured using java config approach. I want to exclude some URL patterns from authentication(eg: static resources etc..). I have done this earlier with spring security xml config but couldn't figure out with java config as adding antmatchers doesn't help.
Following is my code added in security config class extending WebSecurityConfigurerAdapter
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/authFailure")
.permitAll()
.anyRequest()
.authenticated()
.and()
.httpBasic()
.and()
.authenticationProvider(_provider)
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.addFilter(authFilter())
.addFilterAfter(executionContextFilter(),
TokenBasedSecurityFilter.class).csrf().disable();
}
The spring security version that I use is 3.2.0. Thanks in advance for helping
Edit:
The stacktrace that I got while hitting the excluded URL,
org.springframework.security.authentication.AuthenticationServiceException: Authorization Header is not available in the request
at com.inventory.ricemill.tba.spring.TokenBasedSecurityFilter.doFilter(TokenBasedSecurityFilter.java:59)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:57)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Apr 01, 2014 10:18:41 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [Inventory] in context with path [/ricemill] threw exception [Request processing failed; nested exception is org.springframework.security.authentication.AuthenticationServiceException: Authorization Header is not available in the request] with root cause
org.springframework.security.authentication.AuthenticationServiceException: Authorization Header is not available in the request
at com.inventory.ricemill.tba.spring.TokenBasedSecurityFilter.doFilter(TokenBasedSecurityFilter.java:59)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:57)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
The request goes through the filters registered in spring security filter chain, while it shouldn't as the request is ignored with antmatcher
解决方案
Found the solution in Spring security examples posted in Github.
WebSecurityConfigurerAdapter has a overloaded configure message that takes WebSecurity as argument which accepts ant matchers on requests to be ignored.
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/authFailure");
}
See Spring Security Samples for more details
这篇关于Spring Security 在安全注释配置中排除 url 模式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
