Spring Security 允许未经授权的用户从转发访问受限制的 URL [英] Spring Security Allows Unauthorized User Access to Restricted URL from a Forward

问题描述

Spring 安全 3.2.0.RC2

Spring Security 3.2.0.RC2

给定:

@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity
        .authorizeRequests()
            .antMatchers("/restricted/**").hasRole("admin")
            .anyRequest().authenticated()

        // etc
        ;
 }

没有管理员角色的用户尝试访问/myapp/restricted/foo.request 正确收到 HTTP 403.

A user without the admin role trying to access /myapp/restricted/foo.request correctly receives an HTTP 403.

然而，鉴于:

@Controller
public class FooController {
    @RequestMapping("/bar.request")
    public String bar() {
        return "forward:/restricted/foo.request";
    }
}

如果用户访问/myapp/bar.request，则用户被转发到受限的/myapp/restricted/foo.request.如何在不明确阻止/bar.request"的情况下阻止这种情况?

If the user accesses /myapp/bar.request, the user is forwarded to the restricted /myapp/restricted/foo.request. How can this be blocked without explicitly blocking "/bar.request"?

推荐答案

@kungfuters 是正确的，第一步是确保过滤器首先拦截该请求.要使用 web.xml 执行此操作，您可以使用以下内容:

@kungfuters is correct that the first step is ensuring the Filter is intercepting that request in the first place. To do so with a web.xml you would use the following:

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>FORWARD</dispatcher> <!-- Include FORWARD here -->
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

要使用 Java 配置执行此操作，您将使用以下内容:

To do so with Java Configuration you would use the following:

public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {

    protected  EnumSet<DispatcherType> getSecurityDispatcherTypes() {
        return return EnumSet.of(DispatcherType.REQUEST, DispatcherType.ERROR, DispatcherType.ASYNC, DispatcherType.FORWARD);
    }

}

最后一部分是 FilterSecurityInterceptor(确保 URL 受到保护的部分)默认只会拦截 REQUEST 而不会拦截额外的调度(即转发).这样做是因为保护被转发到的 URL 是非常罕见的(通常你会保护执行转发的 URL).要启用它，您需要将以下内容与 xml 配置一起使用，您需要使用 http@once-per-request=true:

The last piece is that the FilterSecurityInterceptor (the piece that ensures URLs are protected) by default will only intercept the REQUEST and not additional dispatches (i.e. forwards). This is done because it is quite rare to protect the URLs that are forwarded to (typically you would protect the URL that does the forwarding). To enable that you need to use the following with xml configuration you need to use http@once-per-request=true:

<http once-per-request="true">
   <!-- ... -->
</http>

同样，Java 配置中有一个可以使用的 oncePerRequest 属性.例如:

Similarly, there is a oncePerRequest property within Java Configuration that can be used. For example:

@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity
        .authorizeRequests()
            .filterSecurityInterceptorOncePerRequest(false)
            // make sure to grant access to any login page you are forwarding to
            .antMatchers("/restricted/login").permitAll()
            .antMatchers("/restricted/**").hasRole("admin")
            .anyRequest().authenticated()
            .and()
        .formLogin()
            .permitAll()
        // etc
        ;
}

这篇关于Spring Security 允许未经授权的用户从转发访问受限制的 URL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！