Spring Security 4.x使用Hawtio进行基本身份验证的JavaConfig

时间:2016-07-06 06:58:07

标签: spring spring-security hawtio jolokia

我试图将Hawtio(1.4.64)连接到在Tomcat 7的Spring应用程序中运行的Jolokia代理(1.3.3)。

在最近升级到Spring Security(4.0.3)之后,hawtio正在停止正确身份验证(使用基本身份验证),我们被踢回登录页面,类似于GROUP_BY。与那个问题不同,我们只使用Jolokia代理而不是在我们的应用程序中包含hawtio(而且我们不使用Spring Boot)。

在检查Spring调试日志之后,看起来好像AnonymousAuthenticationFilter正在将用户设置为" anonymous"在应用BasicAuthenticationFilter之前。所以我调整了安全配置并禁用了所有默认值,保留以下内容:

@Configuration
@Order(2)
public static class JolokiaSecurityConfig extends WebSecurityConfigurerAdapter {

    public JolokiaSecurityConfig() {
        super(true); // disable defaults
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .requestMatchers().antMatchers("/jolokia/**")
            .and().authorizeRequests().antMatchers("/jolokia/**").hasAuthority(BaseRoles.DEVELOPER).and().httpBasic();
    }
}

现在当我登录Hawtio时,我在Hawtio控制台中收到错误,其中包含我的Tomcat7服务器的一些输出:HTTP状态500 - 在SecurityContext中找不到Authentication对象

堆栈跟踪:

Jul 06, 2016 12:43:14 AM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [jolokia-agent] in context with path [/foobar] threw exception
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:378)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:222)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:158)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)

...

为什么基本身份验证不再有效?谢谢你的帮助!

1 个答案:

答案 0 :(得分:0)

我们通过覆盖异常处理来再次调用BasicAuthenticationEntryPoint解决了这个问题:

@Configuration
@Order(2)
public static class JolokiaSecurityConfig extends WebSecurityConfigurerAdapter {

    private static final String REALM = "our admin services";
    private static final String JOLOKIA_URL_PATTERN = "/jolokia/**";

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        BasicAuthenticationEntryPoint authenticationEntryPoint = new BasicAuthenticationEntryPoint();
        authenticationEntryPoint.setRealmName(REALM);
        http
            .csrf().disable()
            .requestMatchers().antMatchers(JOLOKIA_URL_PATTERN)
            .and().authorizeRequests().antMatchers(JOLOKIA_URL_PATTERN).hasAuthority(BaseRoles.DEVELOPER)
            .and().httpBasic().realmName(REALM)
            .and().exceptionHandling().authenticationEntryPoint(authenticationEntryPoint);
    }
}
相关问题
最新问题