使用Vaadin进行Spring安全性的Java配置 [英] Java Config for Spring Security with Vaadin
问题描述
我是这些框架的新手(Vaadin:7.6.1,Spring Security:4.0.3),如果我想构建一个Vaadin应用程序,我会问自己如何配置授权请求。
Im new to these frameworks (Vaadin:7.6.1, Spring Security:4.0.3) and I'm asking myself how to configure the authorized requests if I want to build a Vaadin application.
我查了几个例子写了这样的东西:
I looked up a few examples where something like this is written:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter
{
[...]
@Override
protected void configure(HttpSecurity http) throws Exception
{
http
.authorizeRequests()
.antMatchers("/login**").permitAll()
.antMatchers("/UIDL/**").permitAll()
.antMatchers("/HEARTBEAT/**").authenticated()
.antMatchers("/VAADIN/**").permitAll()
.antMatchers("/resources/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login").permitAll()
.and()
.logout().permitAll()
.and()
.csrf().disable();
}
}
因为我想设计登录页面我使用的是 Thymeleaf引擎。因此我正在使用此Controller类:
Because I want to design the login page I use the Thymeleaf engine. Therefore I'm using this Controller class:
@Controller
public class LoginController
{
@RequestMapping("/login")
String login(Model model)
{
return "login";
}
}
我应该定义哪个.antMatchers()如果用户没有登录,阻止我的应用程序的每个请求?我知道我必须为登录页面定义antMatchers(/ resources / **)。permitAll()以获取css和图像。但是这些模式如/ UIDL / **以及我需要它们是什么?
Which .antMatchers() should I define if I want to block every request of my application if the user isn't logged in? I know that I have to define antMatchers("/resources/**").permitAll() for the login page to get the css and images. But what are these patterns like "/UIDL/**" and what do I need them for?
推荐答案
如果用户未登录,我应该定义哪个.antMatchers()我是否要阻止我的应用程序的每个请求
?
Which .antMatchers() should I define if I want to block every request of my application if the user isn't logged in?
如果您只是想在用户未登录时阻止每个请求:
If you just want to block every request if the user isn't logged in:
@Override
protected void configure(HttpSecurity http) throws Exception
{
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login").permitAll()
.and()
.logout().permitAll()
.and()
.csrf().disable();
}
你真的不需要任何 antMatcher ,甚至不是登录页面,如 .formLogin()部分,你已经包含 .permitAll()该页面。
You don't really need any antMatcher, not even for the login page, as in the .formLogin() part, you already include .permitAll() for that page.
现在对于静态资源(css,js,images)和VAADIN,你可以覆盖另一种方法:
Now for static resources (css, js, images) and with VAADIN in mind, you can do this overriding another method:
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers("/resources/**", "/VAADIN/**");
}
使用Spring Boot项目,如果我不允许,我也会发现问题请求 web.ignoring()。antMatchers(...)中的/ vaadinServlet / **。
With a Spring Boot project, i also found issues if i didn't allow requests to "/vaadinServlet/**"in the web.ignoring().antMatchers(...).
这些模式如/ UIDL / **以及我需要它们是什么?
what are these patterns like "/UIDL/**" and what do I need them for?
当服务器收到请求时,Spring Security使用这些模式来确定它是应该允许还是拒绝访问请求。
When the server receives a request, Spring Security uses these patterns to determine if it should allow or deny access to the request.
它们代表应用程序的上下文根之后的URI部分,例如:如果你的上下文根是 / ,那么像 http://server.com/UIDL/hello Spring Security将用于确定是否提供访问的URI部分将是 / UIDL / hello
They represent the part of the URI after the context root of your application, e.g. in the case of your context root being /, then a request like http://server.com/UIDL/hello the part of the URI that Spring Security will use to determine wether to give acces or not will be /UIDL/hello
** 表示包括任何子级别在内的任何内容,例如对于 / UIDL / ** 模式,请求 / UIDL / hello / world /和/ any / more / levels 将匹配。
The ** represents anything including any sub level, e.g. for the /UIDL/** pattern, the request /UIDL/hello/world/and/any/more/levels will match.
还有单个 * 代表什么,但不包括子级别,例如对于 / UIDL / * 模式,请求 / UIDL / hello 将匹配,但不是 / UIDL / hello / world 。
There's also the single * which represents, anything but not including the sub levels, e.g. for the /UIDL/* pattern, the request /UIDL/hello will match, but not /UIDL/hello/world.
至于VAADIN视图和用户界面,我不确定是否可以使用 antMatchers 授予或拒绝访问权限,但您可以使用 @EnableGlobalMethodSecurity(prePost = enabled)注释配置类,然后能够在视图上使用 @PreAuthorize(/ * spel expression * /)注释来授予或拒绝访问。
As for VAADIN views and UIs, i'm not sure that it is possible to use the antMatchers to grant or deny access, but instead you can annotate the configuration class with @EnableGlobalMethodSecurity(prePost = enabled) and then be able to use the @PreAuthorize( /* spel expression */) annotation on the views to grant or deny access.
更新:回答评论问题:
- 为什么使用configure(WebSecurity web)方法忽略资源而不是配置(HttpSecurity http)允许访问?是否存在显着差异?
区别在于 WebSecurity#ignoredoring()使请求从Spring Security过滤器链中跳过,这是静态资源的推荐方式,除了静态资源之外的任何其他内容都应该在 configure(HttpSecurity http)中进行处理。
The difference is that WebSecurity#ignoring() makes the request being skipped from the Spring Security filter chain, and it is the recommended way for static resources, anything else than static resources should be processed inside configure(HttpSecurity http).
- 为什么选择忽略/ VAADIN / **路径?
因为该路径用于提供主题,窗口小部件集和自定义设置,是静态内容,该路径用于从Vaadin jar中以dinamycally方式提供它,但正如Vaadin文档中所建议的那样,在生产环境中应该静态提供,因为它更快。
Because that path is used to serve themes, widget sets, and customizations, which is static content, the path is used to serve it dinamycally from the Vaadin jar, but as suggested in the Vaadin documentation, in production environments should be served statically, as it is faster.
- 我可以想象/ *和/ **的含义,但UIDL和HEARTBEAT究竟是什么意思?他们为什么被允许?
UIDL:
用户界面定义语言(UIDL)是一种语言,用于
序列化用户界面内容以及从web
服务器到浏览器的响应变化。我们的想法是服务器端组件
将自己绘制到具有该语言的屏幕(网页)。
UIDL消息在浏览器中解析并转换为GWT小部件。
User Interface Definition Language (UIDL) is a language for serializing user interface contents and changes in responses from web server to a browser. The idea is that the server-side components "paint" themselves to the screen (a web page) with the language. The UIDL messages are parsed in the browser and translated to GWT widgets.
定期执行心跳请求以验证服务器和客户端之间的连接仍然存在,或者会话尚未过期。
Heartbeat requests are performed periodically to verify that the connection is still alive between server and client, or the session haven't expired.
source - 请参阅第4.8.5,4.8.6,4.8.7和4.8.8节
这篇关于使用Vaadin进行Spring安全性的Java配置的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
