我的Spring Security配置是
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/resources/**"); // #3
}
Taken from here. ignorig的文档说
允许添加Spring Security应忽略的RequestMatcher实例。 ...通常,注册的请求应该只是静态资源。
我想为从资源提供的文件添加一些标头。
例如:Strict-Transport-Security: max-age=31536000,X-Content-Type-Options: nosniff。
我怎么做?
答案 0 :(得分:0)
将其改为
的一种解决方案import React from 'react';
import StaticLayout from '../Layout/StaticLayout';
import { getBlogList } from '../actions/signupActions';
import { bindActionCreators } from 'redux';
import { connect } from 'react-redux';
import { Pagination } from 'react-bootstrap';
import { push } from 'react-router-redux';
class BlogList extends React.Component {
constructor(props){
super(props);
document.title = "Blogs";
this.changePage = this.changePage.bind(this);
}
componentDidMount() {
this.props.getBlogList();
}
render(){
//===pagination variable========
const per_page = 1;
let pages = 0;
if(this.props.blogListData !== undefined){
pages = Math.ceil(this.props.blogListData.count / per_page) ;
}
const current_page = this.props.page;
const start_offset = (current_page - 1) * per_page;
let start_count = 0;
//===End pagination variable========
return(
<StaticLayout>
<html content with require list />
<Pagination className="users-pagination pull-right" bsSize="medium" maxButtons={10} first last next prev boundaryLinks items={pages} activePage={current_page} onSelect={this.changePage} />
</StaticLayout>
);
}
changePage(page){
this.props.dispatch(push('/?page_no='+page))
}
}
function mapStateToProps(state){
return {
blogListData: state.UserReducer.blogData,
page: Number(state.routing.locationBeforeTransitions.query.page_no) || 1,
}
}
function mapDispatchToProps(dispatch) {
return bindActionCreators({getBlogList: getBlogList}, dispatch)
}
export default connect(mapStateToProps, mapDispatchToProps) (BlogList);
示例如何允许缓存控制标头加上所有默认的弹簧安全标头。
答案 1 :(得分:0)
我一直在努力解决同样的问题。当我忽略WebSecurity中的特定请求时,标头就消失了。
我通过对添加了标题的每个请求应用过滤器来修复丢失的标题。
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.addFilterBefore(securityHeaderFilter, BasicAuthenticationFilter.class)
...
}
过滤器代码如下所示。 此处要注意的重要一点是,必须将过滤器声明为@Component。当您错过@Component批注时,过滤器将被忽略。
@Component
public class SecurityHeaderFilter implements Filter {
@Override
public void init(FilterConfig fc) throws ServletException {
// Do nothing
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
httpServletResponse.setHeader(
"custom-header1", "header-value1");
httpServletResponse.setHeader(
"custom-header2", "header-value2");
chain.doFilter(request, response);
}
@Override
public void destroy() {
// Do nothing
}
}
答案 2 :(得分:0)
我使用了以下解决方案:
@Bean
public FilterRegistrationBean setHeaders() {
HstsHeaderWriter hstsHeaderWriter = new HstsHeaderWriter(31536000, true);
XContentTypeOptionsHeaderWriter xContentTypeOptionsHeaderWriter = new XContentTypeOptionsHeaderWriter();
List<HeaderWriter> headerWriters = new ArrayList<>();
headerWriters.add(hstsHeaderWriter);
headerWriters.add(xContentTypeOptionsHeaderWriter);
HeaderWriterFilter headerWriterFilter = new HeaderWriterFilter(headerWriters);
FilterRegistrationBean bean = new FilterRegistrationBean(headerWriterFilter);
bean.setOrder(1);
return bean;
}
上面的 bean 将对所有资源(甚至忽略的资源)全局添加一个过滤器。您可以针对不同类型的安全标头检查 org.springframework.security.web.header.HeaderWriter.java 的各种实现,并将它们全部添加到 HeaderWriterFilter.java。