Spring Security:从SiteMinder中排除URL

时间:2015-12-10 14:16:32

标签: java spring spring-mvc spring-security siteminder

我对Spring Security和SiteMinder有疑问。

通常我对我的所有页面的所有请求使用SM_USER标头,但这次我需要排除一个URL:它将发送没有SM_USER标头的请求。

我使用Java Congifuration:

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {

    // for class CustomUserDetailsService I configured how I get the list of 
    // user authorities with the content of SM_USER header

    userDetailsService = new CustomUserDetailsService();
    UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper = new UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken>(
            userDetailsService);

    preAuthenticatedProvider = new PreAuthenticatedAuthenticationProvider();
    preAuthenticatedProvider.setPreAuthenticatedUserDetailsService(wrapper);
    auth.authenticationProvider(preAuthenticatedProvider);


    log.debug("global security configuration was successfull");
}

然后我添加不同网址的权限:

@Override
protected void configure(HttpSecurity http) throws Exception {      

    RequestHeaderAuthenticationFilter siteMinderFilter = new RequestHeaderAuthenticationFilter();
    siteMinderFilter.setPrincipalRequestHeader("SM_USER");
    siteMinderFilter.setAuthenticationManager(authenticationManager());   
    http.addFilter(siteMinderFilter);
    ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry = http.authorizeRequests();
//adding an authority to URL containing SM_USEr_URL
    registry.antMatchers(HttpMethod.GET, "**/SM_USER_URL/**").hasAuthority("authority1"); 

//here I try to exclude the URL from Siteminder.
    registry.antMatchers(HttpMethod.GET, "**/ExcludedPage/**").permitAll();
}

我的问题是,对于ExcludedPage网址的请求,除了异常之外我什么都得不到:

    org.springframework.security.web.authentication.preauth.PreAuthenticatedCredentialsNotFoundException: SM_USER header not found in request.

我不知道如何为这个页面设置过滤器,它根本不需要任何SM_USER标题。

提前谢谢。

2 个答案:

答案 0 :(得分:0)

应为接受 siteminder add

的每个网址 
http.antMatcher(SM_USER_URL).addFilter(siteMinderFilter);

答案 1 :(得分:0)

您缺少的是RequestHeaderAuthenticationFilter的正确行为。像这样尝试setExceptionIfHeaderMissing为假:

@Override
protected void configure(HttpSecurity http) throws Exception {      

    RequestHeaderAuthenticationFilter siteMinderFilter = new RequestHeaderAuthenticationFilter();
    siteMinderFilter.setPrincipalRequestHeader("SM_USER");
    siteMinderFilter.setAuthenticationManager(authenticationManager()); 
  ->siteMinderFilter.setExceptionIfHeaderMissing(false);
    ...
相关问题
最新问题