Spring security 3.1自定义过滤器问题。匿名网址排除问题

时间:2013-11-26 11:53:11

标签: java spring rest cookies spring-security

我正在开发一个RESTful api。我的网址有两种类型的安全限制:

  • / rest / autenticate(匿名以生成令牌并接收cookie)
  • / rest / **(由AuthenticationTokenProcessingFilter处理,获取cookie并检查出来)

主要想法是匿名访问/验证以获取cookie并使用该cookie访问其他/ rest / users / rest / ..并在自定义过滤器上检查其有效性。

这是我的http配置:

<http realm="Protected REST API" pattern="/rest/**" use-expressions="true" auto-config="false" create-session="stateless"  entry-point-ref="RestAuthenticationEntryPoint">
    <custom-filter ref="AuthenticationTokenProcessingFilter" position="FORM_LOGIN_FILTER" />
    <intercept-url pattern="/rest/authenticate*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <intercept-url pattern="/rest/**" access="isAuthenticated()"/>
</http>

我还实现了一些类来完成它的工作:

<b:bean id="RestAuthenticationEntryPoint" class="**.web.security.RestAuthenticationEntryPoint" /> 

<b:bean id="customAuthenticationManager" class="**.web.security.CustomAuthenticationManager"/>

<b:bean id="AuthenticationTokenProcessingFilter" class="**.web.security.AuthenticationTokenProcessingFilter">
    <b:constructor-arg type="**.web.security.CustomAuthenticationManager" ref="customAuthenticationManager"></b:constructor-arg>
</b:bean>

<b:bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter">
    <b:property name="authenticationEntryPoint" ref="RestAuthenticationEntryPoint"/>
    <b:property name="accessDeniedHandler" ref="accessDeniedHandler"/>
</b:bean>

<b:bean id="accessDeniedHandler" class="**.web.security.RestAccessDeniedHandler">
    <b:property name="accessDeniedUrl" value="403" />
</b:bean>

而不是直接进入控制器,AuthenticationTokenProcessingFilter方法的doFilter拦截/休息/验证。

这是我的AuthenticationTokenProcessingFilter:

public class AuthenticationTokenProcessingFilter extends GenericFilterBean {

    @Autowired 
    UserService userService;

    @Autowired 
    TokenUtilsService tokenUtilsService;

    CustomAuthenticationManager customAuthenticationManager;

    public AuthenticationTokenProcessingFilter(CustomAuthenticationManager customAuthenticationManager) {
        this.customAuthenticationManager = customAuthenticationManager;
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        //Check the cookie calling to customAuthenticationManager.authenticate
        chain.doFilter(request, response);
    }
}

我认为此过滤器仅在限制网址时启动。也许总是推出,我必须手动检查角色是否是匿名的?

该解决方案将进行投票和检查。

0 个答案:

没有答案
相关问题
最新问题