tomcat在使用spring security CSRF保护访问另一个tomcat上的jsp时遇到403错误

时间:2017-05-01 13:15:41

标签: jsp tomcat spring-security

我需要Spring Security CSRF保护方面的帮助。当tomcat尝试使用CSRF保护访问tomcat上的jsp时出现403错误。有没有办法来解决这个问题?下面是整个spring-security.xml。

<beans:beans xmlns="http://www.springframework.org/schema/beans" 
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:p="http://www.springframework.org/schema/p"
    xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.2.xsd">



<security:http pattern="/conf/**" access-denied-page="/mobiledoc/jsp/ContentManagement/login.jsp" auto-config="true" request-matcher="ant" use-expressions="true" disable-url-rewriting="true">
            <security:intercept-url pattern="/**" access="denyAll"/>
    </security:http>

    <security:http pattern="/jsp/**" auto-config="true" request-matcher="ant" use-expressions="true" entry-point-ref="hubAuthEntryPoint" disable-url-rewriting="true">
        <security:intercept-url pattern="/**/*.css" access="permitAll"/>
        <security:intercept-url pattern="/**/images/**" access="permitAll"/>
        <security:intercept-url pattern="/**/*.js" access="permitAll"/>
        <security:intercept-url pattern="/**/img/**" access="permitAll"/>
        <security:intercept-url pattern="/**/fonts/**" access="permitAll"/>
        <security:intercept-url pattern="/mobiledoc/jsp/ContentManagement/login.jsp" access="permitAll"/>
        <security:intercept-url pattern="/mobiledoc/jsp/ContentManagement/supportLogin.jsp" access="permitAll"/>
        <security:intercept-url pattern="/mobiledoc/jsp/ContentManagement/supportLogout.jsp" access="permitAll"/>
        <security:intercept-url pattern="/**/uadmin/simpleCaptcha.png" access="permitAll"/>
        <security:intercept-url pattern="/**/uadmin/audio.wav" access="permitAll"/>
        <security:intercept-url pattern="/mobiledoc/jsp/catalog/xml/**/*" access="permitAll"/>
        <security:intercept-url pattern="/mobiledoc/jsp/catalog/xml/hl7/PushLabOrders.jsp" access="permitAll"/>

        <security:intercept-url pattern="/mobiledoc/jsp/**/*" access="authenticated" />

        <security:intercept-url pattern="/**" access="permitAll"/>

        <security:logout logout-url="/mobiledoc/jsp/ContentManagement/supportLogout.jsp" invalidate-session="true" delete-cookies="JSESSIONID" />

        <security:csrf request-matcher-ref="customCsrfRequestMatcher"/>
        <security:headers>
                        <security:xss-protection />
        </security:headers>
    </security:http>

    <security:http pattern="/**" request-matcher="ant" use-expressions="true"  disable-url-rewriting="true" security="none"/>

    <!-- hub specific entry point -->   
    <bean id="hubAuthEntryPoint"  class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
        p:loginFormUrl="/mobiledoc/jsp/ContentManagement/login.jsp"/>

    <security:authentication-manager  alias="authenticationManager" >
        <security:authentication-provider ref="customAuthenticationProvider"/>          
    </security:authentication-manager>

    <beans:bean id="customAuthenticationProvider" class="security.CustomAuthenticationProvider">
        <beans:property name="userService" ref="customUserDetailsService"/>
    </beans:bean>

    <!-- Global beans common for all -->
    <bean id="customCsrfRequestMatcher" class="security.CustomCsrfRequestMatcher"/>

    <bean id="dataSource" class="security.SpringDataSource"/>    

    <beans:bean id="customUserDetailsService" class="security.CustomUserService">
        <beans:property name="dataSource" ref="dataSource" />
        <beans:property name="usersByUsernameQuery" value="SELECT uname AS username, upwd AS password, 'true' AS enabled FROM users WHERE delflag=0 AND UserType IN (1,2) AND status = 0 AND ((uname!='' AND uname IS NOT NULL) OR uname=?)"  />
        <beans:property name="authoritiesByUsernameQuery" value="SELECT uname AS username, 'Default' AS role FROM users WHERE delflag=0 AND UserType IN (1,2) AND ((uname!='' AND uname IS NOT NULL) OR uname=?)" />
    </beans:bean>

</beans:beans>

public class CustomCsrfRequestMatcher实现RequestMatcher {

// Disable CSFR protection on the following urls:
private Pattern allowedMethods = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$");
private AntPathRequestMatcher[] requestMatchers = { new AntPathRequestMatcher("/jsp/**") };
private Pattern resourcePattern = Pattern.compile(".*?/jsp/.*?((/(images|img|css|js|fonts|Apptcss)/.*?)|.*.(js|css|png|jpg|woff|tld|gif))$");
private Pattern loginPage = Pattern.compile("(.*?/jsp/ContentManagement/login.jsp|.*?/jsp/ContentManagement/supportLogin.jsp)");

public boolean matches(HttpServletRequest request) {

    if(allowedMethods.matcher(request.getMethod()).matches()){
        return false;
    }

    if (resourcePattern.matcher(request.getRequestURL()).matches()) {
        return false;
    }

    if(loginPage.matcher(request.getRequestURL()).matches()){
        return false;
    }

    for (AntPathRequestMatcher rm : requestMatchers) {
        if (rm.matches(request)) {
            return true;
        }
    }
    return false;
}

}

失败的电话是/mobiledoc/jsp/catalog/xml/hl7/PushLabOrders.jsp

0 个答案:

没有答案