我将Spring Security集成到现有的Spring Boot项目中(版本:1.5.3.RELEASE)。
在集成之前,我们通过扩展HandlerInterceptorAdapater的preHandle方法通过getRequestURI从请求中获取重定向信息。
Request URI正确指向其路径(例如:/ admin / login)。
集成后,请求URI指向jsp的完整路径。
此外,我们已向ConfigurableApplicationContext注册了ContextUtil类,以进行进一步的URI检查。在这个类中,我们获取这样的请求:
public HttpServletRequest getCurrentRequest()
{
final ServletRequestAttributes servletRequestAttributes =
(ServletRequestAttributes)
RequestContextHolder.currentRequestAttributes();
return servletRequestAttributes.getRequest();
}
但URI也是其物理路径"在/WEB-INF/下
例如:
GET请求指向/WEB-INF/pages/admin/admin_login.jsp:
我的WebSecurityConfig班级是:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{
@Override
protected void configure(HttpSecurity http) throws Exception
{
//jeden Aufruf akzeptieren. Authorisierung und
Authentifizierung von Spring Security wird nicht genutzt
http.authorizeRequests().antMatchers("/").permitAll();
}
@Override
public void configure(WebSecurity web) throws Exception
{
web.ignoring().antMatchers("/resources/**", "/css/**", "/js/**",
"/img/**", "resources/*", "/WEB-INF/**").and().debug(true);
}
}
相关的applicationContext.xml部分:
<mvc:default-servlet-handler/>
<mvc:annotation-driven/>
<mvc:resources mapping="/resources/**" location="classpath:/WEB-INF/resources/" />
<mvc:interceptors>
<bean class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<property name="paramName" value="lang" />
</bean>
<bean class="de.abc.xyu.zzz.interceptor.RedirectInterceptor" />
</mvc:interceptors>
<bean id="viewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="viewClass" value="org.springframework.web.servlet.view.JstlView" />
<property name="prefix" value="/WEB-INF/pages/" />
<property name="suffix" value=".jsp" />
<property name="redirectHttp10Compatible" value="false" />
</bean>
Spring Security的调试日志:
收到GET&#39; / admin / login&#39;:
的请求org.apache.catalina.connector.RequestFacade@70ad489
servletPath:/ admin / login pathInfo:null headers:host:localhost:8081 connection:keep-alive cache-control:max-age = 0 user-agent: Mozilla / 5.0(X11; Linux x86_64)AppleWebKit / 537.36(KHTML,与Gecko一样) Chrome / 62.0.3202.94 Safari / 537.36升级不安全请求:1接受: text / html的,应用/ XHTML + xml的,应用/ XML; Q = 0.9,图像/ WEBP,图像/ APNG, / 的; Q = 0.8 referer:http://localhost:8081/admin/login accept-encoding: gzip,deflate,br accept-language:de-DE,de; q = 0.9,en-US; q = 0.8,en; q = 0.7 cookie:JSESSIONID = AE07684D485DA698F1AA4DFE056D5B3A; JSESSIONID = 0819B947A685FE3362F23E39CE999D3B
安全过滤器链:[WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter HeaderWriterFilter CsrfFilter
LogoutFilter RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter SessionManagementFilter
ExceptionTranslationFilter FilterSecurityInterceptor][http-nio-8081-exec-1] INFO Spring Security Debugger -
收到GET&#39; /WEB-INF/pages/admin/admin_login.jsp'的要求:
SecurityContextHolderAwareRequestWrapper [ org.springframework.security.web.context.HttpSessionSecurityContextRepository$Servlet3SaveToSessionRequestWrapper@2eac9514]
servletPath:/WEB-INF/pages/admin/admin_login.jsp pathInfo:null headers:host:localhost:8081 connection:keep-alive cache-control: max-age = 0 user-agent:Mozilla / 5.0(X11; Linux x86_64) AppleWebKit / 537.36(KHTML,与Gecko一样)Chrome / 62.0.3202.94 Safari / 537.36升级不安全请求:1接受: text / html的,应用/ XHTML + xml的,应用/ XML; Q = 0.9,图像/ WEBP,图像/ APNG, / 的; Q = 0.8 referer:http://localhost:8081/admin/login accept-encoding: gzip,deflate,br accept-language:de-DE,de; q = 0.9,en-US; q = 0.8,en; q = 0.7 cookie:JSESSIONID = AE07684D485DA698F1AA4DFE056D5B3A; JSESSIONID = 0819B947A685FE3362F23E39CE999D3B
安全过滤器链:[]为空(由安全绕过=&#39;无&#39;)
为什么请求指向/WEB-INF/pages/login.jsp下的物理路径而不是其解析路径,我们如何实现它,我们得到了正确的&#34; URI?
答案 0 :(得分:1)
最终这对我有用:
final ServletRequestAttributes servletRequestAttributes =
(ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
System.out.println("REQUEST URI: " +
servletRequestAttributes.getRequest()
.getAttribute("javax.servlet.forward.request_uri"));
它提供了真实的请求URI,而不是它的&#34;物理路径&#34;在/ WEB-INF /.
下