Question

我有一个使用spring（也是spring security）的应用程序，其中很少有服务保存在安全资源集之外，通过在applicationContext.xml中指定如下所示：

<http pattern="/services/rest/nohisb/Msgs" security="none"/>

现在只需通过https访问这些服务。容器配置为具有https。要求是当用户在http上访问上述服务时，他应该被重定向到https（端口号也会改变，因为它不是默认的443）。

是否可以通过弹簧实现这一目标？

感谢
Nohsib

Answer 1

是的，可以使用Spring Channel Processing和PortMapper

来实现

Spring Channel Processing用于定义http / https访问URL模式。例如 -

Https Access URL-

https://localhost/myapp/user/myaccount

Http：访问网址 -

http://localhost/myapp/home

然后，如果用户以http模式“ http：// localhost / myapp / user / myaccount ”访问安全网址，则弹出渠道安全会将用户重定向到安全网址“ https：// localhost / myapp / user / myaccount “和反之亦然。

PortMapper Bean用于映射HTTP和HTTPS映射的非标准端口号

示例配置：

频道处理Bean定义和端口映射器 -

<bean id="channelProcessingFilter" class="org.springframework.security.web.access.channel.ChannelProcessingFilter">
  <property name="channelDecisionManager" ref="channelDecisionManager"/>
  <property name="securityMetadataSource">
        <security:filter-security-metadata-source path-type="ant">
            <security:intercept-url pattern="/services/rest/nohisb/Msgs**" access="REQUIRES_SECURE_CHANNEL" />
            <security:intercept-url pattern="/**/*.html**" access="REQUIRES_SECURE_CHANNEL" />

            <!-- more pattern definition -->

        </security:filter-security-metadata-source>
  </property>
</bean>

<bean id="channelDecisionManager" class="org.springframework.security.web.access.channel.ChannelDecisionManagerImpl">
  <property name="channelProcessors">
    <list>
        <ref bean="secureChannelProcessor"/>
        <ref bean="insecureChannelProcessor"/>
    </list>
  </property>
</bean>

<bean id="secureChannelProcessor" class="org.springframework.security.web.access.channel.SecureChannelProcessor">
    <property name="entryPoint" ref="secureEntryPoint"/>
</bean>

<bean id="insecureChannelProcessor" class="org.springframework.security.web.access.channel.InsecureChannelProcessor">
    <property name="entryPoint" ref="insecureEntryPoint"/>
</bean>

<bean id="secureEntryPoint" class="org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint">
    <property name="portMapper" ref="portMapper"/>
</bean>

<bean id="insecureEntryPoint" class="org.springframework.security.web.access.channel.RetryWithHttpEntryPoint">
    <property name="portMapper" ref="portMapper"/>
</bean>

<bean id="portMapper" class="org.springframework.security.web.PortMapperImpl">
    <property name="portMappings">
        <map>
            <entry key="80" value="443"/>
            <entry key="8081" value="8443"/>
            <entry key="8443" value="8081"/>
            <!-- so on... -->
        </map>
    </property>
</bean>

过滤器映射 -

<security:http auto-config="false" 
            entry-point-ref="authenticationProcessingFilterEntryPoint" 
            access-decision-manager-ref="accessDecisionManager" >

    <security:custom-filter position="CHANNEL_FILTER" ref="channelProcessingFilter"/>

    <security:intercept-url pattern="/*.html*" access="ROLE_ANONYMOUS,admin,user"  />
    <security:intercept-url pattern="/*.jsp" access="ROLE_ANONYMOUS,admin,user" />

    <!-- more pattern definition -->

</security:http>

Answer 2

您可以编写Servlet过滤器来检查请求方案和URL，并在需要时发送重定向。但实际上这些东西不应该在java代码中完成，而应该在反向代理或平衡器中完成。通常servlet容器在代理（nginx？）或apache（mod_proxy）之后使用。这是配置https / http重定向等的地方。

Answer 3

使用http://static.springsource.org/spring-security/site/docs/3.0.x/reference/ns-config.html#ns-requires-channel中描述的Spring Security命名空间配置来定义端口映射不是更简单吗？

使用spring重定向到https以获得少量服务

3 个答案: