问题:
将基于xml的全面spring security配置(2.0.4)迁移到基于java的配置(4.2)中的问题
曹焱
在Spring security 2.0.4中,声明如下所示,过滤器的位置也在各个bean声明中声明.....
旧的security.xml
<sec:http session-fixation-protection="migrateSession">
<sec:intercept-url pattern="/login.hm*" filters="none" requires-channel="https" />
<sec:intercept-url pattern="/services/**" filters="none" requires-channel="https"/>
<sec:intercept-url pattern="/widget/**" filters="none" requires-channel="https" />
<sec:intercept-url pattern="/istore/theme/**" filters="none" requires-channel="https"/>
<sec:intercept-url pattern="/logout.hm*" filters="none" requires-channel="https" />
<sec:intercept-url pattern="/mstore/theme/**" filters="none" requires-channel="https"/>
<sec:intercept-url pattern="/istore/history*" access="ROLE_UU" requires-channel="https"/>
<sec:intercept-url pattern="/istore/consumer_goods*" access="ROLE_UU" requires-channel="https"/>
<sec:intercept-url pattern="/istore/electronics*" access="ROLE_UU" requires-channel="https"/>
<sec:intercept-url pattern="/istore/accessories*" access="ROLE_UU" requires-channel="https"/>
<sec:intercept-url pattern="/istore/reward_redemption*" access="ROLE_UU" requires-channel="https"/>
<sec:intercept-url pattern="/istore/**" access="ROLE_UU,ROLE_SSS" requires-channel="https"/>
<sec:form-login
login-page="${login.url}"
login-processing-url="${login.processing.url}"
default-target-url="${setuppassword.page.url}"
authentication-failure-url="${login.failure.url}" always-use-default-target="false" />
</sec:http>
Spring Security:如何排除某些资源?
https://www.baeldung.com/security-none-filters-non-access-permitall
-
null
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'characterEncodingFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'hiddenHttpMethodFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'httpPutFormContentFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'requestContextFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'springSecurityFilterChain' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'sitemesh' to urls: [*.hm]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'CustomSecurityHeaderFilter' to urls: []
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'HttpOnlyCookieFilter' to urls: [*.hm]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'ValidatorFilter' to urls: [*.hm]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'org.springframework.security.filterChainProxy' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter:'org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'httpOnlyCookieFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'logoutFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'iStoreFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'loginFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: 'preLoginFilter' to: [/*]
INFO 78928 --- [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: '_formLoginFilter' to: [/*]
共有1个答案
施阳曜
我以前问过下面的问题,因为没有重点而被删除了,所以我请求它自己来回答,因为我觉得它可能对其他人也有用。
https://stackoverflow.com/questions/60221667/custom-filters-by-spring-and-mapped-to-even-after-specify-se
对于Spring security迁移到版本3&以上版本,您可以简单地扩展WebSecurityConfigurerAdapter并覆盖使用基于JAVA配置的构建器模式的方法,
- 第一个添加URL模式,包括角色、身份验证提供程序、身份验证处理程序(成功/失败)、注销、注销处理程序、会话管理配置、具有定义位置的筛选器集等。
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/istore/link.jsp").hasAnyAuthority("UU", "SSS")
.antMatchers("/istore/**/*.jsp").hasAuthority("RESTRICT")
.antMatchers("/mstore/**/*.jsp").hasAuthority("RESTRICT")
.antMatchers("/istore/card*").hasAuthority("UU")
.antMatchers("/istore/history*").hasAuthority("UU")
.antMatchers("/istore/orders*").hasAuthority("UU")
.antMatchers("/istore/consumer_goods*").hasAuthority("UU")
.antMatchers("/istore/electronics*").hasAuthority("UU")
.antMatchers("/istore/reward_redemption*").hasAuthority("UU")
.antMatchers("/istore/accessories*").hasAuthority("UU")
.antMatchers("/istore/privelege_card*").hasAuthority("UU")
.antMatchers("/istore/profile*").hasAuthority("UU")
.antMatchers("/istore/reward_redemption*").hasAuthority("UU")
.antMatchers("/istore/addresses*").hasAuthority("UU")
.antMatchers("/istore/**").hasAuthority("UU")
.and()
.formLogin()
.loginPage("/login.hm")
.failureUrl("/login.hm?err=1")
.loginProcessingUrl("/istore_check.hm")
.and()
.authenticationProvider(authProvider)
.logout()
.and()
.csrf().disable()
.addFilterBefore(iStoreFilter, ChannelProcessingFilter.class)
.addFilterAfter(loginFilter, BasicAuthenticationFilter.class)
.addFilterAt(logoutFilter, org.springframework.security.web.authentication.logout.LogoutFilter.class)
.addFilterAt(authenticationProcessingFilter, UsernamePasswordAuthenticationFilter.class)
.sessionManagement().sessionFixation().migrateSession();
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/services/**")
.antMatchers(HttpMethod.GET,"/monitor/health")
.antMatchers(HttpMethod.GET,"/widget/**")
.antMatchers(HttpMethod.GET,"/login.hm*")
.antMatchers(HttpMethod.GET,"/istore/login.jsp")
.antMatchers(HttpMethod.GET,"/istore/logout.jsp")
.antMatchers(HttpMethod.GET,"/registration.hm*")
.antMatchers(HttpMethod.GET,"/tnc.hm*")
.antMatchers(HttpMethod.GET,"/istore/clicktochat/**")
.antMatchers(HttpMethod.GET,"/logout.hm")
.antMatchers(HttpMethod.GET,"/istore/theme/**")
.antMatchers(HttpMethod.GET,"/mstore/theme/**")
.antMatchers(HttpMethod.GET,"/js/**")
.antMatchers(HttpMethod.GET,"/breeze/**")
.antMatchers(HttpMethod.GET,"/resources/**")
.antMatchers(HttpMethod.GET,"/crossdomain.xml")
}
@Override
@Bean (name ="authenticationManagerBean")
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
P.S.请记住,从3&开始的迁移,请使用基于xml的配置来检查web.xml,因为servlet和过滤器注册是一个重要的部分,如果做得不精确,您会发现自己在其他地方调试,如果正在使用HDIV,请删除它,并并行而不是一起迁移它。
类似资料:
-
问题内容: 我尝试不使用任何xml。 像这样一个:转换为@Bean 问题在这里。 尝试将“ com.cloudlb.domain.User”转换为Class []无效。 错误:投放问题。 先感谢您。 问题答案:
-
问题内容: 在最近我从事的一些大型项目中,选择其中一种(XML或注释)似乎变得越来越重要。随着项目的发展,一致性对于可维护性非常重要。 我的问题是:与基于注释的配置相比,基于XML的配置有哪些优势?与基于XML的配置相比,基于注释的配置有哪些优势? 问题答案: 注释有其用途,但它们不是杀死XML配置的灵丹妙药。我建议将两者混合! 例如,如果使用Spring,则将XML用于应用程序的依赖注入部分是完
-
问题内容: 是否可以在应用程序中同时具有MyBatis的基于XML +注释的配置。 我之所以这样问,是因为在我的应用程序中,我使用的是基于注释的方法。但是在一种情况下,我需要使用IN子句,可以使用 基于XML的配置。 但是,当我启动应用程序时,它似乎无法识别基于注释的映射器,并给了我一个例外。 因此,我想知道是否可以在应用程序中同时具有MyBatis的基于XML + Annotation的配置。请
-
困惑: 对我来说没有代码段工作,每次我面对404,我想我错过了什么?
-
17.4 基于 XML 架构的配置 可以使用来自 OXM 命名空间的 XML 标签是对编组器的配置变得更简洁。要使用这些标签,请在 XML 文件开头引用恰当的 XML 架构。以下是一个引用 oxm 的示例,请注意粗体字部分: <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/sch