URL 中的 Spring Security、尾部斜杠和点 [英] Spring Security, trailing slashes, and dots in URLs

问题描述

我使用 Spring Security 3.1.4 来保护部署到 Tomcat 的 Spring MVC 3.2.4 应用程序.我有以下 Spring Security 配置:

I use Spring Security 3.1.4 to secure a Spring MVC 3.2.4 application deployed to Tomcat. I have the following Spring Security configuration:

<http auto-config="true" use-expressions="true">
   <http-basic />
   <logout ... />
   <form-login ... />

   <intercept-url pattern="/" access="isAnonymous() or hasRole('ROLE_USER')" />
   <intercept-url pattern="/about" access="isAnonymous() or hasRole('ROLE_USER')" />
   <intercept-url pattern="/login" access="isAnonymous() or hasRole('ROLE_USER')" />
   <intercept-url pattern="/under-construction" access="isAnonymous() or hasRole('ROLE_USER')" />
   <intercept-url pattern="/admin-task*" access="hasRole('ROLE_USER') and hasRole('ROLE_ADMINISTRATOR')" />
   <intercept-url pattern="/resources/**" access="isAnonymous() or hasRole('ROLE_USER')" />
   <intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
</http>

我注意到没有尾部斜杠的 URL 模式(例如，/about)与带有尾部斜杠的 URL(例如，/about/)不匹配，反之亦然反之.换句话说，带有斜杠的 URL 和不带斜杠的相同 URL 被 Spring Security 视为两个不同的 URL.这个问题可以通过使用两个安全规则来解决:

I noticed that URL patterns without a trailing slash (e.g., /about) do not match URLs with a trailing slash (e.g., /about/) and vice-versa. In other words, a URL with a slash and an identical URL without a slash are treated as two different URLs by Spring Security. The problem could be fixed by using two security rules:

<intercept-url pattern="/about" access="isAnonymous() or hasRole('ROLE_USER')" />
<intercept-url pattern="/about/" access="isAnonymous() or hasRole('ROLE_USER')" />

有更好的解决方案吗?

我知道 path-type="regex" 允许使用正则表达式定义 URL 模式，但我想尽可能避免任何不必要的复杂性.

I know that path-type="regex" allows to define URL patterns with regular expressions, but I would like to avoid any unnecessary complexity if it's possible.

更新

正如 Adam Gent 所指出的，还有一个涉及带点的 URL 的问题:/about.foo 和 /about 被 Spring MVC 视为相同的 URL.但是，Spring Security 将它们视为两个不同的 URL.因此，可能还需要一个安全规则:

As Adam Gent noted, there is an additional problem that involves URLs with a dot: /about.foo and /about are treated as the same URL by Spring MVC. However, Spring Security treats them as two different URLs. So, one more security rule may be necessary:

<intercept-url pattern="/about.*" .../>

推荐答案

Spring Security 4.1+

Spring Security 现在添加了一个新的匹配器，它知道您的 Spring MVC URL 匹配配置.这告诉 Spring Security 根据 Spring MVC 使用的相同规则匹配路径，从而消除 URL 有效但不安全的可能性.

Spring Security 4.1+

Spring Security has now added a new matcher which is aware of your Spring MVC URL matching configuration. This tells Spring Security to match paths based on the same rules that Spring MVC uses, eliminating the possibility of a URL being valid, but unsecured.

首先，您需要用新的 MVC 匹配器替换所有旧的匹配器.Spring Security 现在与您已配置的 Spring MVC 同步，因此您可以自由添加或删除任何路径匹配配置.我建议尽可能使用默认值.

First you need to replace any old matchers with the new MVC matcher. Spring Security is now in sync with however you have configured Spring MVC so you are free to add or remove any path matching configuration. I recommend sticking with the defaults where possible.

如果你使用的是 antMatchers，你现在应该使用 mvcMatchers:

If you were using antMatchers, you now should use mvcMatchers:

protected configure(HttpSecurity http) throws Exception {
  http.authorizeRequests()
        .mvcMatchers("/about").hasRole("USER");
}

XML 配置

您需要将属性 request-matcher 添加到您的 http 标签:

XML Config

You need to add the attribute request-matcher to your http tag:

<http request-matcher="mvc">
  <intercept-url pattern="/about" access="hasRole('USER')"/>
</http>

完整参考

请注意，您也不应该再为角色添加ROLE_"前缀，因为 Spring Security 会自动为您执行此操作.

我无法找到一种方法来处理 Spring Security 中的尾部斜杠和路径后缀.显然可以编写一个正则表达式来处理这些情况，但这似乎使安全规则过于复杂并且容易出错.我想尽可能确信我不会意外暴露资源.

I've not been able to find a way to handle both trailing slash and path suffixes in Spring Security. Obviously it is possible to write a regexp to handle these cases but this seems to make the security rules overly complex and prone to error. I want to be as confident as possible that I'm not exposing resources accidentally.

因此，我的方法是在 Spring 中禁用此行为，方法是将路径匹配器配置为对尾部斜杠和后缀都严格.

Therefore, my approach is to disable this behaviour in Spring by configuring the path matcher to be strict about both trailing slashes and suffixes.

@Configuration
public class ServletConfig extends WebMvcConfigurerAdapter {
  @Override
  public void configurePathMatch(final PathMatchConfigurer configurer) {
    configurer.setUseSuffixPatternMatch(false);
    configurer.setUseTrailingSlashMatch(false);
  }
}

XML 配置

<mvc:annotation-driven>
  <mvc:path-matching suffix-pattern="false" trailing-slash="false" />
</mvc:annotation-driven>

这篇关于URL 中的 Spring Security、尾部斜杠和点的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！