我正在创建一个Spring Security配置,以供任何想要创建由Spring Security担保的Stormpath Spring应用程序的开发人员用作库。
为此我已经对WebSecurityConfigurerAdapter进行了分类,并通过configure(HttpSecurity)在AuthenticationProvider和Stormpath configure(AuthenticationManagerBuilder)中定义了Stormpath访问控制。所有这些都可以在这个抽象类及其具体的子类中看到:
@Order(99)
public abstract class AbstractStormpathWebSecurityConfiguration extends WebSecurityConfigurerAdapter {
//Removed properties and beans for the sake of keeping focus on the important stuff
/**
* The pre-defined Stormpath access control settings are defined here.
*
* @param http the {@link HttpSecurity} to be modified
* @throws Exception if an error occurs
*/
protected void configure(HttpSecurity http, AuthenticationSuccessHandler successHandler, LogoutHandler logoutHandler)
throws Exception {
if (loginEnabled) {
http
.formLogin()
.loginPage(loginUri)
.defaultSuccessUrl(loginNextUri)
.successHandler(successHandler)
.usernameParameter("login")
.passwordParameter("password");
}
if (logoutEnabled) {
http
.logout()
.invalidateHttpSession(true)
.logoutUrl(logoutUri)
.logoutSuccessUrl(logoutNextUri)
.addLogoutHandler(logoutHandler);
}
if (!csrfProtectionEnabled) {
http.csrf().disable();
} else {
//Let's configure HttpSessionCsrfTokenRepository to play nicely with our Controllers' forms
http.csrf().csrfTokenRepository(stormpathCsrfTokenRepository());
}
}
/**
* Method to specify the {@link AuthenticationProvider} that Spring Security will use when processing authentications.
*
* @param auth the {@link AuthenticationManagerBuilder} to use
* @param authenticationProvider the {@link AuthenticationProvider} to whom Spring Security will delegate authentication attempts
* @throws Exception if an error occurs
*/
protected void configure(AuthenticationManagerBuilder auth, AuthenticationProvider authenticationProvider) throws Exception {
auth.authenticationProvider(authenticationProvider);
}
}
@Configuration
public class StormpathWebSecurityConfiguration extends AbstractStormpathWebSecurityConfiguration {
//Removed beans for the sake of keeping focus on the important stuff
@Override
protected final void configure(HttpSecurity http) throws Exception {
configure(http, stormpathAuthenticationSuccessHandler(), stormpathLogoutHandler());
}
@Override
protected final void configure(AuthenticationManagerBuilder auth) throws Exception {
configure(auth, super.stormpathAuthenticationProvider);
}
}
简而言之,我们基本上定义了我们的登录和注销机制,并整合了我们的CSRF代码,以便与Spring Security的一致。
到目前为止一切正常。
但这只是"图书馆"我们希望用户在其上构建自己的应用程序。
因此,我们创建了一个Sample应用程序来演示用户如何使用我们的库。
用户基本上想要创建自己的WebSecurityConfigurerAdapter。像这样:
@EnableStormpathWebSecurity
@Configuration
@ComponentScan
@PropertySource("classpath:application.properties")
@Order(1)
public class SpringSecurityWebAppConfig extends WebSecurityConfigurerAdapter {
/**
* {@inheritDoc}
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/restricted").fullyAuthenticated();
}
}
如果确实需要这样做,WebApplicationInitializer看起来像这样:
public class WebAppInitializer implements WebApplicationInitializer {
@Override
public void onStartup(ServletContext sc) throws ServletException {
AnnotationConfigWebApplicationContext context = new AnnotationConfigWebApplicationContext();
context.register(SpringSecurityWebAppConfig.class);
context.register(StormpathMethodSecurityConfiguration.class);
sc.addListener(new ContextLoaderListener(context));
ServletRegistration.Dynamic dispatcher = sc.addServlet("dispatcher", new DispatcherServlet(context));
dispatcher.setLoadOnStartup(1);
dispatcher.addMapping("/");
//Stormpath Filter
FilterRegistration.Dynamic filter = sc.addFilter("stormpathFilter", new DelegatingFilterProxy());
EnumSet<DispatcherType> types =
EnumSet.of(DispatcherType.ERROR, DispatcherType.FORWARD, DispatcherType.INCLUDE, DispatcherType.REQUEST);
filter.addMappingForUrlPatterns(types, false, "/*");
//Spring Security Filter
FilterRegistration.Dynamic securityFilter = sc.addFilter(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME, DelegatingFilterProxy.class);
securityFilter.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), false, "/*");
}
}
所有这些代码都正确启动。如果我转到localhost:8080,我会看到欢迎屏幕。如果我转到localhost:8080/login,我会看到登录屏幕。但是,如果我转到localhost:8080/restricted,我应该被重定向到登录页面,因为我们有这一行:http.authorizeRequests().antMatchers("/restricted").fullyAuthenticated();。不过,我正在看Access Denied页。
然后,如果我在App的访问控制中添加登录URL,如下所示:
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin().loginPage("/login")
.and()
.authorizeRequests().antMatchers("/restricted").fullyAuthenticated();
}
它现在将我重定向到登录页面,但是一旦我提交凭据,我就会遇到CSRF问题,这意味着我们所有的配置实际上都不是此过滤器链的一部分。
当我调试它时,似乎每个WebApplicationInitializer都有自己的具有自己的过滤器链的实例。我希望它们能以某种方式连接起来,但似乎它实际上并没有发生......
任何人都尝试过这样的事情吗?
顺便说一句:作为一种变通方法,用户可以public class SpringSecurityWebAppConfig extends StormpathWebSecurityConfiguration代替SpringSecurityWebAppConfig extends WebSecurityConfigurerAdapter。这种方式可行但我希望用户拥有纯粹的Spring Security代码,并从我们StormpathWebSecurityConfiguration的那个角度扩展到该目标。
可以看到所有代码here。 Spring的Stormpath Spring Security库位于extensions/spring/stormpath-spring-security-webmvc之下。使用该库的示例应用程序位于examples/spring-security-webmvc。
运行起来很简单......你只需要注册到Stormpath as explained here。然后,您可以签出spring_security_extension_redirect_to_login_not_working分支并启动示例应用程序,如下所示:
$ git clone git@github.com:mrioan/stormpath-sdk-java.git
$ git checkout spring_security_extension_redirect_to_login_not_working
$ mvn install -DskipTests=true
$ cd examples/spring-security-webmvc
$ mvn jetty:run
然后,您可以转到localhost:8080/restricted,看到您没有被重定向到登录页面。
非常感谢任何帮助!
答案 0 :(得分:3)
根据我的经验,在启动时有多个WebSecurityConfigurer搞乱安全配置的问题。
解决此问题的最佳方法是将您的库配置设置为SecurityConfigurerAdapters,以便在适当的位置应用。
public class StormpathHttpSecurityConfigurer
extends AbstractStormpathWebSecurityConfiguration
implements SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> {
//Removed beans for the sake of keeping focus on the important stuff
@Override
protected final void configure(HttpSecurity http) throws Exception {
configure(http, stormpathAuthenticationSuccessHandler(), stormpathLogoutHandler());
}
}
public class StormpathAuthenticationManagerConfigurer
extends AbstractStormpathWebSecurityConfiguration
implements SecurityConfigurer<AuthenticationManager, AuthenticationManagerBuilder> {
//Removed beans for the sake of keeping focus on the important stuff
@Override
protected final void configure(AuthenticationManagerBuilder auth) throws Exception {
configure(auth, super.stormpathAuthenticationProvider);
}
}
然后,您可以在自己的配置中使用这些用户apply:
@EnableStormpathWebSecurity
@Configuration
@ComponentScan
@PropertySource("classpath:application.properties")
@Order(1)
public class SpringSecurityWebAppConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/restricted").fullyAuthenticated()
.and()
.apply(new StormPathHttpSecurityConfigurer(...))
;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.apply(new StormPathAuthenticationManagerConfigurer(...));
}
}
答案 1 :(得分:-2)
这肯定是关于Antmatchers的任何一个订单的问题,或者没有指定您允许访问该URL的用户的ROLES。
你有什么上面的“/限制”?
是否完全阻止该网址下方的内容?您应该首先指定更具体的URL,通用URL。
尝试正确配置上述网址(或告诉我它是什么,以便我可以帮助您),也许在“/ restricted”的父网址上应用“fullyAuthenticated”和“permitAll”ROLE。