Spring Security 多个 url 规则集不能一起工作 [英] Spring Security multiple url ruleset not working together
问题描述
我有一个 HTTP Spring Security 配置,当我注释掉每个单独的方面时它似乎可以工作,但是当我将 Spring Security 规则组合在一起时它不起作用,所以我知道问题不在于 regexMatcher
或 antMatcher
但结合应用的规则.
I have an HTTP Spring Security configuration that appears to work when I comment out each individual aspect but it doesn't work when I combine the Spring Security rules together, so I know the problem is not with the regexMatcher
or the antMatcher
but with the rules applied in combination.
这是我的 Spring Security 课程:
Here is my Spring Security class:
package com.driver.website.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
import org.springframework.security.web.header.writers.StaticHeadersWriter;
import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter;
import org.springframework.security.web.util.matcher.RequestMatcher;
import javax.servlet.http.HttpServletRequest;
import java.security.AccessControlContext;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Value("${widget.headers.xframeoptions.domains.allowed}")
private String allowedXFrameOptions;
@Value("${widget.headers.origins.allowed}")
private String allowedOrigins;
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.exceptionHandling().accessDeniedPage("/login")
.and()
.formLogin().loginPage("/login").defaultSuccessUrl("/myaccount", true).permitAll()
.and()
.authorizeRequests()
.antMatchers("/**").permitAll();
http.regexMatcher("^((?!(/widget|/assistedSearch)).)*$")
.headers().frameOptions().disable()
.regexMatcher("^((?!(/widget|/assistedSearch)).)*$")
.headers()
.xssProtection()
.contentTypeOptions()
.addHeaderWriter(new StaticHeadersWriter("X-FRAME-OPTIONS", "SAMEORIGIN"));
http.antMatcher("/widget")
.headers()
.frameOptions()
.disable()
.antMatcher("/widget")
.headers()
.addHeaderWriter(new StaticHeadersWriter("X-FRAME-OPTIONS", "ALLOW-FROM " + allowedXFrameOptions));
http.requestMatchers().antMatchers("/assistedSearch", "/widget")
.and()
.headers()
.addHeaderWriter(new StaticHeadersWriter("Access-Control-Allow-Origin", allowedOrigins))
.addHeaderWriter(new StaticHeadersWriter("Access-Control-Allow-Methods", "GET, POST"))
.addHeaderWriter(new StaticHeadersWriter("Access-Control-Allow-Headers", "Content-Type"));
// @formatter:on
}
}
规则应该是...
- 对于除/widget 和/assistantSearch 以外的所有 url,我们应该添加 SAMEORIGIN X-Frame-Options 标头
- 对于
/widget
端点,我们应该添加 X-Frame-Options: ALLOW-FROM 标头 - 对于
/widget
和/assistantSearch
端点,我们应该添加Access-Control-Allow-Origin
、Access-Control-Allow-Methods
和Access-Control-Allow-Headers
标头
- For all urls but not /widget and /assistedSearch we should add the SAMEORIGIN X-Frame-Options header
- For the
/widget
endpoint we should add the X-Frame-Options: ALLOW-FROM header - For the
/widget
and/assistedSearch
endpoints we should add theAccess-Control-Allow-Origin
,Access-Control-Allow-Methods
andAccess-Control-Allow-Headers
headers
正如我上面提到的,如果我注释掉 For all urls
规则集,那么其他两个将协同工作,但是使用 For all urls
规则取消注释任何标题出现.
As I mentioned above if I comment out the For all urls
ruleset then the other two work in unison, but with the For all urls
rule uncommented none of the headers appear.
有人知道为什么会这样吗?如何在 Spring Security 中添加多个规则集并用新规则覆盖现有规则集?
Does anyone have any ideas why this might be? How do you add multiple rulesets in Spring Security and override existing rulesets with new ones?
我试过了
http.antMatcher("/widget")
.headers()
.frameOptions()
.disable()
这似乎再次独立工作,但不能组合使用.
Which again appears to work on it's own but not in combination.
提前致谢!
推荐答案
你覆盖你以前的匹配器,见 HttpSecurity.html#antMatcher:
You override your previous matchers, see HttpSecurity.html#antMatcher:
调用 antMatcher(String)
将覆盖之前对 mvcMatcher(String)}
、requestMatchers()
、antMatcher(String) 的调用)
、regexMatcher(String)
和 requestMatcher(RequestMatcher)
.
Invoking
antMatcher(String)
will override previous invocations ofmvcMatcher(String)}
,requestMatchers()
,antMatcher(String)
,regexMatcher(String)
, andrequestMatcher(RequestMatcher)
.
和 HttpSecurity.html#regexMatcher:
调用 regexMatcher(String)
将覆盖之前对 mvcMatcher(String)}
、requestMatchers()
、antMatcher(String) 的调用)
、regexMatcher(String)
和 requestMatcher(RequestMatcher)
.
Invoking
regexMatcher(String)
will override previous invocations ofmvcMatcher(String)}
,requestMatchers()
,antMatcher(String)
,regexMatcher(String)
, andrequestMatcher(RequestMatcher)
.
如果你想要多个HttpSecurity
,见Spring 安全参考:
我们可以配置多个 HttpSecurity 实例,就像我们可以有多个
块一样.关键是多次扩展WebSecurityConfigurationAdapter
.例如,以下是对以 /api/
开头的 URL 进行不同配置的示例.
We can configure multiple HttpSecurity instances just as we can have multiple
<http>
blocks. The key is to extend theWebSecurityConfigurationAdapter
multiple times. For example, the following is an example of having a different configuration for URL’s that start with/api/
.
@EnableWebSecurity
public class MultiHttpSecurityConfig {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) { 1
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER").and()
.withUser("admin").password("password").roles("USER", "ADMIN");
}
@Configuration
@Order(1) 2
public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/api/**") 3
.authorizeRequests()
.anyRequest().hasRole("ADMIN")
.and()
.httpBasic();
}
}
@Configuration 4
public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin();
}
}
}
这篇关于Spring Security 多个 url 规则集不能一起工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!