尝试使用 XML 配置关闭一个 URL 的安全性
问题描述:
我查看了几个博客/文档/stackoverflow 论坛条目,但我仍然不知道我做错了什么.
我想向任何人授予访问 URL 的权限.permitAll 不起作用,因为我有自定义过滤器.所以我想创建一个单独的 http 元素并使用 security="none" 设置但没有成功远.
I checked several blogs / doc / stackoverflow forum entries but I still don't know what I am doing wrong.
I want to give access to an URL to anybody. The permitAll doesn't work as I have custom filters. So I thought to create a separate http element and use the security="none" setting but no success so far.
<security:http pattern="/status" security="none"/>
<!-- ******************** rules with encryption and HMAC authentication ******************** -->
<security:http create-session="stateless" use-expressions="true" authentication-manager-ref="authenticationManager" auto-config="true" entry-point-ref="http403EntryPoint" pattern="/**">
<!-- HMAC only -->
<security:intercept-url pattern="/utils/logheaderpattern/check" access="authenticated" />
<security:intercept-url pattern="/executionflow/approve" access="authenticated" />
<security:intercept-url pattern="/executionflow/approve_and_forced_start" access="authenticated" />
<security:intercept-url pattern="/utils/maintenancewindow/next/**" access="authenticated" />
<security:intercept-url pattern="/executionflow/start/manual" access="authenticated" />
<security:intercept-url pattern="/executionflow/start/eventlife" access="authenticated" />
<security:intercept-url pattern="/executionflow/skip/eventlife" access="authenticated" />
<security:intercept-url pattern="/executionflow/start/scheduled" access="authenticated" />
<security:intercept-url pattern="/utils/cron/nextrun" access="authenticated" />
<!-- HMAC and encryption (set in encryptionFilter) -->
<security:intercept-url pattern="/worker/command/**" access="authenticated" />
<security:intercept-url pattern="/worker/event" access="authenticated" />
<security:intercept-url pattern="/worker/system/**" access="authenticated" />
<!-- deny all others -->
<security:intercept-url pattern="/**" access="denyAll" />
<security:csrf disabled="true" />
<security:custom-filter ref="encryptionFilter" before="FORM_LOGIN_FILTER"/>
<security:custom-filter ref="hmacAuthenticationFilter" after="FORM_LOGIN_FILTER"/>
</security:http>
<!-- ******************** Defining the authentication manager ******************** -->
<security:authentication-manager erase-credentials="false" id="authenticationManager">
<security:authentication-provider user-service-ref="fileBasedUserDetailsService">
</security:authentication-provider>
</security:authentication-manager>
和控制器:
@Controller
public class WebController {
@RequestMapping(value = "/status", method = RequestMethod.GET)
public String redirect() {
return "redirect:/pages/status.html";
}
}
和 Spring Boot 初始化程序
And the Spring Boot initializer
@Configuration
@ImportResource({"classpath:applicationContext.xml", "classpath:securityContext.xml"})
@ComponentScan(basePackages = {"org.reaction.engine.controller",
"org.reaction.engine.persistence.service",
"org.reaction.engine.persistence.converter",
"org.reaction.engine.service",
"org.reaction.engine.scheduling.utils"})
@EnableAutoConfiguration
public class WebInitializer extends SpringBootServletInitializer implements WebApplicationInitializer {
@Override
protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
return application.sources(WebInitializer.class);
}
public static void main(String[] args) throws Exception {
SpringApplication.run(WebInitializer.class, args);
}
}
我不断收到
2018-01-15 16:04:02.676 ERROR [org.springframework.boot.web.support.ErrorPageFilter:176] - Forwarding to error page from request [/status] due to exception [An Authentication object was not found in the SecurityContext]
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:379)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:223)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)
例外.有什么想法吗?
答
这是 Spring Boot/Spring Security 中的一个错误/缺失的特性,见
It s a bug/missing feature in Spring Boot/Spring Security, see
- xml 中的安全过滤器会自动从 FilterChainProxy 注册出来
- SEC-2723:将元数据添加到 Spring Security Filter 的 bean 定义中bean 将它们标识为内部"
一些变通办法是可能的,一种是使用 Java 配置而不是 XML 配置.
Some work-arounds are possible, one is to use Java configuration instead of XML configuration.