突然之间,我的应用程序的安全性被打破了。它与antMatchers.(<patterns>).permitAll()中的模式不匹配,并且正在尝试验证所有网址。代码
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(preauthAuthProvider());
}
@Bean
public PreAuthenticatedAuthenticationProvider preauthAuthProvider() {
PreAuthenticatedAuthenticationProvider preauthAuthProvider = new PreAuthenticatedAuthenticationProvider();
preauthAuthProvider.setPreAuthenticatedUserDetailsService(userDetailsServiceWrapper());
return preauthAuthProvider;
}
@Bean
public HeaderPreAuthProcessingFilter ssoFilter() throws Exception {
HeaderPreAuthProcessingFilter filter = new HeaderPreAuthProcessingFilter();
filter.setPrincipalRequestHeader("user_id");
CustomUserDetailsService userDetSer = new CustomUserDetailsService();
userDetSer.setUserService(userService);
filter.setExceptionIfHeaderMissing(false);
filter.setCustomUserDetailsService(userDetSer);
filter.setAuthenticationManager(authenticationManager());
return filter;
}
@Bean
public UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> userDetailsServiceWrapper() {
CustomUserDetailsService userDetSer = new CustomUserDetailsService();
userDetSer.setUserService(userService);
UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper = new UserDetailsByNameServiceWrapper<>();
wrapper.setUserDetailsService(userDetSer);
return wrapper;
}
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.addFilterBefore(ssoFilter(), RequestHeaderAuthenticationFilter.class)
.authenticationProvider(preauthAuthProvider());
httpSecurity
.exceptionHandling()
.authenticationEntryPoint(httpAuthenticationEntryPoint)
.and()
.authorizeRequests()
.antMatchers("/resources/**", "/", "/applogin", "/login", "/logout", "/verify**", "/verify/**", "/pub/**")
.permitAll()
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginPage("/signin")
.loginProcessingUrl("/signin")
.failureUrl("/signin?error")
.permitAll()
.successHandler(authSuccessHandler)
.failureHandler(authFailureHandler)
.and()
.logout()
.logoutUrl("/signout").invalidateHttpSession(true).permitAll()
.logoutSuccessHandler(logoutSuccessHandler)
.and()
.csrf().disable();
}
我试图访问{{url}}/applogin。以下是日志
DEBUG 17458 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /applogin at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG 17458 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /applogin at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG 17458 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
DEBUG 17458 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
DEBUG 17458 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /applogin at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@49168180
DEBUG 17458 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /applogin at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/signout', GET]
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /applogin' doesn't match 'GET /signout
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/signout', POST]
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/applogin'; against '/signout'
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/signout', PUT]
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /applogin' doesn't match 'PUT /signout
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using Ant [pattern='/signout', DELETE]
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'POST /applogin' doesn't match 'DELETE /signout
DEBUG 17458 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher : No matches found
DEBUG 17458 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /applogin at position 5 of 12 in additional filter chain; firing Filter: 'HeaderPreAuthProcessingFilter'
INFO 17458 --- [nio-8080-exec-1] t.l.c.w.HeaderPreAuthProcessingFilter : Authenticating [POST /applogin]
...
< application logs >
...
DEBUG 17458 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Null ModelAndView returned to DispatcherServlet with name 'dispatcherServlet': assuming HandlerAdapter completed request handling
DEBUG 17458 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Successfully completed request
我使用的是Spring安全版4.2.1