Spring安全过滤器,用于保护匿名请求

时间:2016-10-14 09:09:49

标签: java spring rest security spring-mvc

关于弹簧配置的另一个问题......

我向所有人开放了几种休息方法而且没有保障。服务器#1上的这些休息方法由同一域中的另一个服务器#2使用以获取一些数据。这个想法是服务器#2将my_super_secure_cookie设置为某个安全令牌,服务器#1解码并验证它。这是代码:

@Configuration
class SecurityConfig extends WebSecurityConfigurerAdapter {
    // Some code
    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.csrf().disable()
            .authorizeRequests()
            .antMatchers("/rest/public/*").permitAll()
            .anyRequest().authenticated();

    }
    // More code
}  


public class SuperSecurityFilter extends FilterSecurityInterceptor implements Filter {
    public SuperSecurityFilter(String key) {
        super(key);
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse res = (HttpServletResponse) response;

        Cookie[] cookies = req.getCookies();

        Optional<Cookie> tokenCookie = Arrays.stream(cookies).filter(cookie -> cookie.getName().equals("my_super_secure_cookie")).findFirst();

        if (tokenCookie.isPresent()) {
            Cookie cookie = tokenCookie.get();
            TokenCookie.create(cookie.getValue()).validate();
        } else {
            throw new Exception("Ooops!"));
        }

        chain.doFilter(req, res);
    }
}

问题是如何配置SecurityConfig根据请求使用SecurityTokenFilter任何/rest/public/*其他方法。类似的东西:

http
    .antMatcher("/rest/public/*")
    .addFilterBefore(new SuperSecurityFilter());

无效,SuperSecurityFilter未按要求调用。

P.S。由于当前的业务逻辑限制,我被迫使用这种类型的安全模型。

1 个答案:

答案 0 :(得分:0)

我解决了(应用解决方法?)我遇到的问题,实现了不是过滤器,而是拦截器,如下所示:

public class SuperSecurityInterceptor implements HandlerInterceptor {


    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
        // implementation here
    }

    @Override
    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
        // Nothing here
    }

    @Override
    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
        // Nothing here
    }
}

并在我的实体中注册了此拦截器WebMvcConfigurerAdapter。像这样:

registry.addInterceptor(new SupeSecurityInterceptor()).addPathPatterns("/rest/public/*");

不确定这是否正确要做的事情......无论如何,我们很高兴知道实现此类功能的传统方法。

相关问题
最新问题