我正在使用此安全配置:
<security:http pattern="/app/.*" security="none" />
<security:http pattern="/assets/.*" security="none" />
<security:http jaas-api-provision="true" request-matcher="regex" use-expressions="true" entry-point-ref="defaultLoginUrlAuthenticationEntryPoint">
<security:csrf disabled="true"/>
<security:intercept-url pattern="/index\.html.*" access="isAuthenticated()"/>
<security:intercept-url pattern="/services/.*" access="isAuthenticated()"/>
<security:custom-filter before="FORM_LOGIN_FILTER" ref="myAuthenticationFilter"/>
<security:custom-filter before="LAST" ref="myTokenFilter"/>
<security:form-login authentication-failure-handler-ref="defaultAuthenticationFailureHandler"
authentication-success-handler-ref="defaultSuccessHandler"
login-processing-url="/login"/>
<security:access-denied-handler ref="defaultAccessDeniedHandler"/>
<security:logout delete-cookies="user" success-handler-ref="defaultLogoutHandler" logout-url="/logout"/>
</security:http>
应用程序正常使用它,但是存在性能问题,因为安全无配置是错误的(我使用正则表达式模式,而默认是ant)和myTokenFilter调用休息服务的次数比我需要的多。 我更正了如下配置:
<security:http request-matcher="regex" pattern="/app/.*" security="none" />
<security:http request-matcher="regex" pattern="/assets/.*" security="none" />
现在过滤器工作正常,但应用程序不再起作用。所有静态请求返回302并重定向到注销。我更改了我的注销网址以避免重定向回到门户网站,我在浏览器中看到了这一点。
旧配置(工作)。
新配置:
除了退出,我注意到浏览器无缘无故地识别像json这样的js文件。
我的应用程序使用角度和弹簧启动。目前,使用属性配置静态资源:
spring.resources.static-locations=classpath:/META-INF/resources/webjars/web-template/,classpath:/static/
在使用bean配置之前:
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("/**")
.addResourceLocations("classpath:/META-INF/resources/webjars/web-template/")
.addResourceLocations("classpath:/static/");
}
尝试直接访问js文件的简单日志。
2016-04-29 15:02:37.700 DEBUG 7372 --- [http-nio-9082-exec-4] o.s.b.c.web.OrderedRequestContextFilter : Bound request context to thread: org.apache.catalina.connector.RequestFacade@7e25c043
2016-04-29 15:02:37.700 DEBUG 7372 --- [http-nio-9082-exec-4] o.s.s.w.u.matcher.RegexRequestMatcher : Checking match of request : '/app/view/service.js'; against '/app/.*'
2016-04-29 15:02:37.700 DEBUG 7372 --- [http-nio-9082-exec-4] o.s.security.web.FilterChainProxy : /app/view/service.js has an empty filter list
2016-04-29 15:02:37.700 DEBUG 7372 --- [http-nio-9082-exec-4] o.s.b.c.web.OrderedRequestContextFilter : Cleared thread-bound request context: org.apache.catalina.connector.RequestFacade@7e25c043
2016-04-29 15:02:37.700 DEBUG 7372 --- [http-nio-9082-exec-5] o.s.b.c.web.OrderedRequestContextFilter : Bound request context to thread: org.apache.catalina.connector.RequestFacade@7e25c043
2016-04-29 15:02:37.700 DEBUG 7372 --- [http-nio-9082-exec-5] o.s.s.w.u.matcher.RegexRequestMatcher : Checking match of request : '/logout'; against '/app/.*'
2016-04-29 15:02:37.700 DEBUG 7372 --- [http-nio-9082-exec-5] o.s.s.w.u.matcher.RegexRequestMatcher : Checking match of request : '/logout'; against '/assets/.*'
2016-04-29 15:02:37.700 DEBUG 7372 --- [http-nio-9082-exec-5] o.s.security.web.FilterChainProxy : /logout at position 1 of 16 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-04-29 15:02:37.715 DEBUG 7372 --- [http-nio-9082-exec-5] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2016-04-29 15:02:37.715 DEBUG 7372 --- [http-nio-9082-exec-5] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2016-04-29 15:02:37.715 DEBUG 7372 --- [http-nio-9082-exec-5] o.s.security.web.FilterChainProxy : /logout at position 2 of 16 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-04-29 15:02:37.715 DEBUG 7372 --- [http-nio-9082-exec-5] o.s.security.web.FilterChainProxy : /logout at position 3 of 16 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-04-29 15:02:37.715 DEBUG 7372 --- [http-nio-9082-exec-5] o.s.security.web.FilterChainProxy : /logout at position 4 of 16 in additional filter chain; firing Filter: 'LogoutFilter'
2016-04-29 15:02:37.715 DEBUG 7372 --- [http-nio-9082-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/logout'; against '/logout'
2016-04-29 15:02:37.715 DEBUG 7372 --- [http-nio-9082-exec-5] o.s.s.w.a.logout.LogoutFilter : Logging out user 'null' and transferring to logout destination
对这种奇怪的行为有什么看法吗?
编辑: 我正在使用spring-io-platform版本2.0.1-RELEASE并更新到2.0.3试图解决这个问题。
编辑:配置转换为Java Config,没有解决方案。
@Configuration
@EnableWebSecurity
@ImportResource("classpath:application-context-ui-security.xml")
@Profile(DEFAULT_PROFILE)
protected static class SecurityUIApplication extends WebSecurityConfigurerAdapter {
@Inject
private MyAuthenticationFilter myAuthenticationFilter;
@Inject
private MyTokenFilter myTokenFilter;
@Inject
private DefaultAuthenticationFailureHandler defaultAuthenticationFailureHandler;
@Inject
private AuthenticationSuccessHandler defaultSuccessHandler;
@Inject
private DefaultAccessDeniedHandler defaultAccessDeniedHandler;
@Resource
private DefaultLogoutHandler defaultLogoutHandler;
@Inject
private DefaultLoginUrlAuthenticationEntryPoint defaultLoginUrlAuthenticationEntryPoint;
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().regexMatchers("/app/.*", "/assets/.*");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.exceptionHandling().accessDeniedHandler(defaultAccessDeniedHandler)
.authenticationEntryPoint(defaultLoginUrlAuthenticationEntryPoint)
.and()
.addFilterBefore(myAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(myTokenFilter, AnonymousAuthenticationFilter.class)
.authorizeRequests()
.antMatchers("/index.html**","/services/**").authenticated()
.anyRequest().permitAll()
.and().formLogin()
.failureHandler(defaultAuthenticationFailureHandler)
.loginProcessingUrl("/login")
.successHandler(defaultSuccessHandler)
.and().logout()
.logoutSuccessHandler(defaultLogoutHandler)
.deleteCookies("user")
.logoutUrl("/logout")
;
}
}
我仍然导入xml因为我需要导入框架xml并且有一个要覆盖的抽象bean但是只是一个属性。