Spring Security：如何用标志强制https？ [英] Spring Security: How to force https with flag?

问题描述

使用Spring安全性我配置我的Web应用程序的部分需要通过https进行保护，并使用 security：intercept-url 标记。

With Spring security I configure the parts of my web app that need to be secured by https with security:intercept-url tag.

例如：

<security:intercept-url pattern="/**/*secure*" requires-channel="https"/>
<security:intercept-url pattern="/**" requires-channel="http" />    

这样所有在文件名中包含secure的请求或包含secure的目录最低级别获取https，其余的将获得http。

This way all requests with "secure" in the file name or directories containing "secure" on the lowest level get https, the rest will get http.

有没有办法使用标志来生成Spring force https？
在？之后，我无法获得任何工作。一个网址。

Is there a way to use a flag to make Spring force https? I could not get anything to work that takes stuff after the "?" of an url.

• http：// domain / abc？secure = true => https


• http：// domain / abc => http

• http://domain/abc?secure=true => https
• http://domain/abc => http

然后Spring将透明地重定向到每个请求 http：// domain / abc？secure = true to https：// domain / abc？secure = true 。

Spring would then redirect transparently every request going to http://domain/abc?secure=true to https://domain/abc?secure=true.

有没有办法实现这一目标？
示例中的第一个模式实现了在？之前发生安全的结果，但我正在寻找一个解决方案/模式，在？之后有一个标志。只有。

Is there a way to achieve that? The first pattern in the example achieves the result for a "secure" occuring before the "?", but I am looking for a solution/pattern to have a flag after the "?" only.

推荐答案

让Spring在？之后考虑片段在url中，stripQueryStringFromUrls必须设置为false。

To make Spring consider fragments after the "?" in urls, the stripQueryStringFromUrls has to be set to false.

这是我在 Spring forum ：
加载此BeanPostProcessor时，将设置该属性。 / p>

Here is a solutation I found in the Spring forum: When this BeanPostProcessor is loaded, the property will be set.

public class BeanPostProcessorImpl implements BeanPostProcessor
{
    final static private Logger log = Logger.getLogger(BeanPostProcessorImpl.class);

    @Override
    public Object postProcessBeforeInitialization(Object bean, String beanName) throws BeansException
    {
        return bean;
    }

    @Override
    public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException
    {
        if (bean instanceof DefaultFilterInvocationSecurityMetadataSource)
        {
            log.info("********* Post-processing " + beanName);
            ((DefaultFilterInvocationSecurityMetadataSource) bean).setStripQueryStringFromUrls(false);
        }
        return bean;
    }
}

这种模式

<security:intercept-url pattern="/**/*?secure=true*" requires-channel="https"/>

终于有效。

这篇关于Spring Security：如何用标志强制https？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！