在java config中添加http安全过滤器 [英] Add http security filter in java config
问题描述
我正在尝试在春季添加网络安全性,但我不希望过滤器适用于某些事情。如何在java中完成?
I'm trying to add web security in spring but I don't want the filter to apply to certain things. How is that done in java?
也许还有更好的方法可以做到这一点,因为我创建了一个自定义过滤器,但这是我认为实例化它的唯一方法,因为它的依赖关系。
And maybe there's a better way to do this because I created a custom filter but this is the only way I can think to instantiate it because of its dependencies.
总的来说,我想做的是:
Overall, what I want to do is this:
/ resources / ** 不应该通过过滤器,
/ login (POST)不应该通过过滤器,
其他一切应该通过过滤器
/resources/** SHOULD NOT go through the filter,
/login (POST) SHOULD NOT go through the filter,
everything else SHOULD go through the filter
通过我在春天发现的各种例子我能够想出一个开始,但它显然不起作用:
Through various example I found through spring I was able to come up with this as for a start but it obviously doesn't work:
@Configuration
@EnableWebSecurity
@Import(MyAppConfig.class)
public class MySecurityConfig extends WebSecurityConfigurerAdapter
{
@Override
public void configure(WebSecurity webSecurity) throws Exception
{
webSecurity.ignoring().antMatchers("/resources/**");
}
@Override
public void configure(HttpSecurity httpSecurity) throws Exception
{
httpSecurity
.authorizeRequests()
.antMatchers("/resources/**").permitAll()
.antMatchers("/login").permitAll();
httpSecurity.httpBasic();
httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Bean
@Autowired
public TokenFilterSecurityInterceptor<TokenInfo> tokenInfoTokenFilterSecurityInterceptor(MyTokenUserInfoCache userInfoCache, ServerStatusService serverStatusService, HttpSecurity httpSecurity) throws Exception
{
TokenService<TokenInfo> tokenService = new TokenServiceImpl(userInfoCache);
TokenFilterSecurityInterceptor<TokenInfo> tokenFilter = new TokenFilterSecurityInterceptor<TokenInfo>(tokenService, serverStatusService, "RUN_ROLE");
httpSecurity.addFilter(tokenFilter);
return tokenFilter;
}
}
推荐答案
是您是否对所有Spring Security感兴趣而忽略了URL,或者您是否只希望该特定过滤器忽略该请求?如果您希望所有Spring Security都忽略该请求,可以使用以下命令完成:
Are you interested in all of Spring Security ignoring the URLs or do you only want that specific filter to ignore the request? If you want all of Spring Security to ignore the request it can be done using the following:
@Configuration
@EnableWebSecurity
@Import(MyAppConfig.class)
public class MySecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private MyTokenUserInfoCache userInfoCache;
@Autowired
private ServerStatusService serverStatusService;
@Override
public void configure(WebSecurity webSecurity) throws Exception
{
webSecurity
.ignoring()
// All of Spring Security will ignore the requests
.antMatchers("/resources/**")
.antMatchers(HttpMethod.POST, "/login");
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.addFilter(tokenInfoTokenFilterSecurityInterceptor())
.authorizeRequests()
// this will grant access to GET /login too do you really want that?
.antMatchers("/login").permitAll()
.and()
.httpBasic().and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Bean
public TokenFilterSecurityInterceptor<TokenInfo> tokenInfoTokenFilterSecurityInterceptor() throws Exception
{
TokenService<TokenInfo> tokenService = new TokenServiceImpl(userInfoCache);
return new TokenFilterSecurityInterceptor<TokenInfo>(tokenService, serverStatusService, "RUN_ROLE");
}
}
如果你想只让那个特定的过滤器忽略特定的请求你可以做这样的事情:
If you want to have only that specific Filter ignore particular requests you can do something like this:
@Configuration
@EnableWebSecurity
@Import(MyAppConfig.class)
public class MySecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private MyTokenUserInfoCache userInfoCache;
@Autowired
private ServerStatusService serverStatusService;
@Override
public void configure(WebSecurity webSecurity) throws Exception
{
webSecurity
.ignoring()
// ... whatever is here is ignored by All of Spring Security
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.addFilter(tokenInfoTokenFilterSecurityInterceptor())
.authorizeRequests()
// this will grant access to GET /login too do you really want that?
.antMatchers("/login").permitAll()
.and()
.httpBasic().and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Bean
public TokenFilterSecurityInterceptor<TokenInfo> tokenInfoTokenFilterSecurityInterceptor() throws Exception
{
TokenService<TokenInfo> tokenService = new TokenServiceImpl(userInfoCache);
TokenFilterSecurityInterceptor tokenFilter new TokenFilterSecurityInterceptor<TokenInfo>(tokenService, serverStatusService, "RUN_ROLE");
RequestMatcher resourcesMatcher = new AntPathRequestMatcher("/resources/**");
RequestMatcher posLoginMatcher = new AntPathRequestMatcher("/login", "POST");
RequestMatcher ignored = new OrRequestMatcher(resourcesMatcher, postLoginMatcher);
return new DelegateRequestMatchingFilter(ignored, tokenService);
}
}
public class DelegateRequestMatchingFilter implements Filter {
private Filter delegate;
private RequestMatcher ignoredRequests;
public DelegateRequestMatchingFilter(RequestMatcher matcher, Filter delegate) {
this.ignoredRequests = matcher;
this.delegate = delegate;
}
public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) {
HttpServletRequest request = (HttpServletRequest) req;
if(ignoredRequests.matches(request)) {
chain.doFilter(req,resp,chain);
} else {
delegate.doFilter(req,resp,chain);
}
}
}
这篇关于在java config中添加http安全过滤器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
