我有一个基于Spring的Web服务,我想提供Spring安全性。它的工作原理,它可以通过USER和ADMIN角色进行身份验证。但是我有一个新的要求,我需要验证不是USER和ADMIN角色的请求,而是验证请求来自的子域。
通常,通过IP进行身份验证:
<http use-expressions="true">
<intercept-url pattern="/admin*"
access="hasRole('admin') and hasIpAddress('192.168.1.0/24')"/>
...
</http>
但是,我的情况完全不同,我需要根据请求来自的域和子域进行身份验证。
像:
jim.foo.com
tim.foo.com
jim.foo.com和tim.foo.com拥有相同的IP地址。每个子域都单独进行身份验证。
有可能吗?
答案 0 :(得分:7)
根据@ franz-ebner对@ zayagi回答的评论,我可以在这里举一个具体的例子。 @ zayagi的答案是一个完美的答案 - 这只是为了帮助其他具体用例。
这个例子是用Java 8编写的,当时Spring Boot的版本为1.1.6,Spring 4.0.x(Spring启动版现在是1.3.0,Spring 4.2,其中包含Web配置改进)。这是在2014年底写的,可能需要刷新,但是因为它被要求而提供它,并且可能能够帮助其他人。我无法提供测试,因为它们中有特定的IP地址,我不想分享; - )
第一个类定义了spring安全表达式(例如isCompanyInternal()),并包含对x-forwarded-for头的支持。使用此标头,您不应该在任何情况下都信任它,因为任何人都可以添加它并可能造成安全威胁。因此,此标头只能信任某些内部IP范围。
package org.mycompany.spring.security.web.acccess.expression;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.expression.WebSecurityExpressionRoot;
import org.springframework.security.web.util.matcher.IpAddressMatcher;
import org.springframework.util.Assert;
import java.util.Optional;
import java.util.stream.Stream;
public class MyCompanyWebSecurityExpressionRoot extends WebSecurityExpressionRoot {
public static final String LOCALHOST = "127.0.0.1";
public static final String COMPANY_DESKTOPS = "-suppressed for example-";
public static final String COMPANY_INTERNET_1 = "-suppressed for example-";
public static final String COMPANY_INTERNET_2 = "-suppressed for example-";
/**
* See http://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces
*/
public static final String RFC_1918_INTERNAL_A = "10.0.0.0/8";
/**
* See http://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces
*/
public static final String RFC_1918_INTERNAL_B = "172.16.0.0/12";
/**
* See http://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces
*/
public static final String RFC_1918_INTERNAL_C = "192.168.0.0/16";
private IpAddressMatcher[] internalIpMatchers;
private IpAddressMatcher trustedProxyMatcher;
public MyCompanyWebSecurityExpressionRoot(Authentication a, FilterInvocation fi) {
super(a, fi);
setInternalIpRanges(RFC_1918_INTERNAL_A,
COMPANY_INTERNET_1,
COMPANY_INTERNET_2,
COMPANY_DESKTOPS,
RFC_1918_INTERNAL_B,
RFC_1918_INTERNAL_C,
LOCALHOST);
setTrustedProxyIpRange(RFC_1918_INTERNAL_A);
}
public boolean hasAnyIpAddress(String... ipAddresses) {
return Stream.of(ipAddresses)
.anyMatch(ipAddress -> new IpAddressMatcher(ipAddress).matches(request));
}
public boolean hasAnyIpAddressBehindProxy(String trustedProxyRange, String... ipAddresses) {
String remoteIpAddress = getForwardedIp(trustedProxyRange).orElseGet(request::getRemoteAddr);
return Stream.of(ipAddresses)
.anyMatch(ipAddress -> new IpAddressMatcher(ipAddress).matches(remoteIpAddress));
}
public boolean isCompanyInternal() {
String remoteIpAddress = getForwardedIp(trustedProxyMatcher).orElseGet(request::getRemoteAddr);
return Stream.of(internalIpMatchers)
.anyMatch(matcher -> matcher.matches(remoteIpAddress));
}
/**
* <p>This specifies one or more IP addresses/ranges that indicate the remote client is from the company network.</p>
*
* <p>If not set, this will default to all of the following values:</p>
* <ul>
* <li>{@code RFC_1918_INTERNAL_A}</li>
* <li>{@code RFC_1918_INTERNAL_B}</li>
* <li>{@code RFC_1918_INTERNAL_C}</li>
* <li>{@code COMPANY_INTERNET_1}</li>
* <li>{@code COMPANY_INTERNET_2}</li>
* <li>{@code COMPANY_DESKTOPS}</li>
* <li>{@code LOCALHOST}</li>
* </ul>
*
* @param internalIpRanges ip addresses or ranges. Must not be empty.
*
*/
public void setInternalIpRanges(String... internalIpRanges) {
Assert.notEmpty(internalIpRanges, "At least one IP address/range is required");
this.internalIpMatchers = Stream.of(internalIpRanges)
.map(IpAddressMatcher::new)
.toArray(IpAddressMatcher[]::new);
}
/**
* <p>When checking for the <code>x-forwarded-for</code> header in the incoming request we will only use
* that value from a trusted proxy as it can be spoofed by anyone. This value represents the IP address
* or IP range that we will trust.</p>
*
* <p>The default value if this is not set is {@code RFC_1918_INTERNAL_A}.</p>
*
* @param trustedProxyIpRange ip address or range. Must not be null.
*
*/
public void setTrustedProxyIpRange(String trustedProxyIpRange) {
Assert.notNull(trustedProxyIpRange, "A non-null value is for trusted proxy IP address/range");
this.trustedProxyMatcher = new IpAddressMatcher(trustedProxyIpRange);
}
private Optional<String> getForwardedIp(String trustedProxyRange) {
return getForwardedIp(new IpAddressMatcher(trustedProxyRange));
}
private Optional<String> getForwardedIp(IpAddressMatcher trustedProxyMatcher) {
String proxiedIp = request.getHeader("x-forwarded-for");
if (proxiedIp != null && trustedProxyMatcher.matches(request.getRemoteAddr())) {
return Optional.of(proxiedIp);
}
return Optional.empty();
}
}
第二个类定义在配置安全性时注入的表达式处理程序。
package org.mycompany.spring.security.web.acccess.expression;
import org.springframework.security.access.expression.SecurityExpressionOperations;
import org.springframework.security.authentication.AuthenticationTrustResolver;
import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
public class MyCompanyWebSecurityExpressionHandler extends DefaultWebSecurityExpressionHandler {
private static final AuthenticationTrustResolver TRUST_RESOLVER = new AuthenticationTrustResolverImpl();
private String[] customInternalIpRanges;
private String customTrustedProxyIpRange;
@Override
protected SecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication, FilterInvocation fi) {
MyCompanyWebSecurityExpressionRoot root = new MyCompanyWebSecurityExpressionRoot(authentication, fi);
root.setPermissionEvaluator(getPermissionEvaluator());
root.setTrustResolver(TRUST_RESOLVER);
root.setRoleHierarchy(getRoleHierarchy());
if (customInternalIpRanges != null) {
root.setInternalIpRanges(customInternalIpRanges);
}
if (customTrustedProxyIpRange != null) {
root.setTrustedProxyIpRange(customTrustedProxyIpRange);
}
return root;
}
/**
* <p>Only set this if you want to override the default internal IP ranges defined within
* {@link MyCompanyWebSecurityExpressionRoot}.</p>
*
* <p>See {@link MyCompanyWebSecurityExpressionRoot#setInternalIpRanges(String...)}</p>
*
* @param customInternalIpRanges ip address or ranges
*/
public void setCustomInternalIpRanges(String... customInternalIpRanges) {
this.customInternalIpRanges = customInternalIpRanges;
}
/**
* Only set this if you want to override the default trusted proxy IP range set in
* {@link MyCompanyWebSecurityExpressionRoot}.
*
* @param customTrustedProxyIpRange ip address or range
*/
public void setCustomTrustedProxyIpRange(String customTrustedProxyIpRange) {
this.customTrustedProxyIpRange = customTrustedProxyIpRange;
}
}
最后这里是一起使用这些的例子: @组态 公共静态类WebInternalSecurityConfig扩展了WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers("/favicon.ico", "/robots.txt");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.expressionHandler(new MyCompanyWebSecurityExpressionHandler())
.anyRequest().access("isCompanyInternal()");
}
}
答案 1 :(得分:3)
除了SecurityExpressionRoot及其子类WebSecurityExpressionRoot中定义的内置函数之外,还可以定义自己的函数。您只需要扩展后者,按照您喜欢的方式添加自己的request对象函数,然后配置Spring Security使用它而不是默认值(WebSecurityExpressionRoot)。方法如下:
DefaultWebSecurityExpressionHandler.createSecurityExpressionRoot()实现的子类中的SecurityExpressionRoot。<expression-handler ref="yourCustomSecurityExpressionRootHandler"> config元素中使用<http>对其进行引用。